VYPR
← All advisories
Unrated severityNVD Advisory· Published May 16, 2022· Updated Mar 6, 2025

CVE-2022-1586

CVE-2022-1586

Description

An out-of-bounds read in PCRE2's JIT compiler, due to incomplete character reading in case-less unicode property matching, could lead to information disclosure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An out-of-bounds read in PCRE2's JIT compiler, due to incomplete character reading in case-less unicode property matching, could lead to information disclosure.

Vulnerability

An out-of-bounds read vulnerability exists in the PCRE2 library, specifically in the compile_xclass_matchingpath() function within pcre2_jit_compile.c. The issue arises because, during case-less matching of Unicode properties in JIT-compiled regular expressions, the character is not fully read, leading to an incorrect value being processed. This affects PCRE2 versions prior to the commit that fixes it [1]. The vulnerability is triggered when a JIT-compiled pattern uses Unicode property matching with case-insensitive (/i) flag.

Exploitation

An attacker can exploit this vulnerability by crafting a regular expression that triggers the affected code path in the JIT compiler. The attacker would need to supply such a pattern to an application that uses PCRE2 with JIT enabled. No special privileges are required beyond the ability to provide input that is compiled as a regular expression. The exploit does not require authentication or user interaction beyond the compilation of the malicious pattern.

Impact

Successful exploitation results in an out-of-bounds read, which can leak sensitive memory contents. This could disclose confidential data, such as cryptographic keys or other secrets, to an attacker. The scope is limited to information disclosure; it does not directly allow code execution or privilege escalation. However, the leaked information could be used in further attacks [1].

Mitigation

The fix for this vulnerability is available in commit d4fa336fbcc388f89095b184ba6d99422cfc676c to the PCRE2 repository [1]. Users should update to a version of PCRE2 that includes this commit. As of the publication date, Fedora has released updates for affected packages [2][3][4]. If patching is not immediately possible, application developers may consider disabling JIT compilation for user-supplied patterns as a workaround, though this may impact performance.

References
  1. Fix incorrect value reading in JIT. · PCRE2Project/pcre2@d4fa336
  2. lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXINO3KKI5DICQ45E2FKD6MKVMGJLEKJ/
  3. lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M2GLQQUEY5VFM57CFYXVIFOXN2HUZPDM/
  4. lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAX7767BCUFC7JMDGP7GOQ5GIZCAUGBB/

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

104

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"An out-of-bounds read occurs in the PCRE2 library due to incorrect handling of case-less matching in JIT-compiled regular expressions."

Attack vector

An attacker can trigger this vulnerability by providing a specially crafted regular expression that utilizes case-less matching with unicode properties. This malformed input is processed by the `compile_xclass_matchingpath()` function within the JIT compilation path. The vulnerability is triggered when the character property is not fully read, leading to an out-of-bounds read.

Affected code

The vulnerability resides in the `compile_xclass_matchingpath()` function within the `src/pcre2_jit_compile.c` file. Specifically, the issue is related to how case-less matching is handled for unicode properties in JIT-compiled regular expressions [ref_id=1].

What the fix does

The patch modifies the condition in `src/pcre2_jit_compile.c` to correctly check if the preceding character is `XCL_PROP` before accessing `cc[1]`. The original code `if (*cc == PT_CLIST && *cc == XCL_PROP)` incorrectly checked the current character `*cc` twice. The corrected condition `if (*cc == PT_CLIST && cc[-1] == XCL_PROP)` ensures that the `ucd_caseless_sets` are accessed only when the preceding character is indeed `XCL_PROP`, preventing the out-of-bounds read [ref_id=1].

Preconditions

  • inputA regular expression utilizing case-less matching with unicode properties.

Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.