Unrated severityNVD Advisory· Published May 16, 2022· Updated Aug 3, 2024

CVE-2022-1587

Description

An out-of-bounds read in PCRE2's JIT compiler occurs when processing specific recursive regular expression patterns, potentially leading to application crash or information disclosure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An out-of-bounds read in PCRE2's JIT compiler occurs when processing specific recursive regular expression patterns, potentially leading to application crash or information disclosure.

Vulnerability

An out-of-bounds read vulnerability exists in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers [1]. The vulnerability is present in versions prior to the commit 03654e7 [1].

Exploitation

An attacker can trigger this vulnerability by supplying a crafted regular expression pattern containing specific recursive constructs that cause duplicate data transfers during JIT compilation [1]. The attacker does not require any special privileges or authentication, as the vulnerable code path is reachable when PCRE2 processes user-supplied patterns. A successful exploitation does not require user interaction beyond the processing of the malicious pattern.

Impact

A successful out-of-bounds read can lead to the disclosure of sensitive memory contents or cause a denial of service (application crash). The scope of compromise is limited to the context of the application using the PCRE2 library; the attacker may gain access to information that could aid in further exploitation or simply cause the service to terminate [1].

Mitigation

The fix for CVE-2022-1587 was implemented in commit 03654e7 on the PCRE2 repository [1]. Users should update to a version of PCRE2 that includes this commit or later. The Fedora package announcements (references [2], [3], [4]) indicate that updates have been distributed for Fedora distributions [2][3][4]. No workarounds are available other than applying the patch or updating to the fixed version. There is no known inclusion of this CVE in the CISA Known Exploited Vulnerabilities catalog.

References

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Pcre/Pcrellm-fuzzy2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: Fixed in pcre2-10.40.
osv-coords49 versions
pkg:apk/chainguard/libpcre2-16-0 pkg:apk/chainguard/libpcre2-32-0 pkg:apk/chainguard/libpcre2-8-0 pkg:apk/chainguard/libpcre2-posix-3 pkg:apk/chainguard/pcre2 pkg:apk/chainguard/pcre2-dev pkg:apk/chainguard/pcre2-doc pkg:apk/wolfi/libpcre2-16-0 pkg:apk/wolfi/libpcre2-32-0 pkg:apk/wolfi/libpcre2-8-0 pkg:apk/wolfi/libpcre2-posix-3 pkg:apk/wolfi/pcre2 pkg:apk/wolfi/pcre2-dev pkg:apk/wolfi/pcre2-doc pkg:rpm/opensuse/pcre2&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/pcre2&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/pcre2&distro=openSUSE%20Leap%20Micro%205.2 pkg:rpm/suse/pcre2&distro=SUSE%20Enterprise%20Storage%206 pkg:rpm/suse/pcre2&distro=SUSE%20Enterprise%20Storage%207 pkg:rpm/suse/pcre2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOS pkg:rpm/suse/pcre2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS pkg:rpm/suse/pcre2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOS pkg:rpm/suse/pcre2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSS pkg:rpm/suse/pcre2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOS pkg:rpm/suse/pcre2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSS pkg:rpm/suse/pcre2&distro=SUSE%20Linux%20Enterprise%20Micro%205.1 pkg:rpm/suse/pcre2&distro=SUSE%20Linux%20Enterprise%20Micro%205.2 pkg:rpm/suse/pcre2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3 pkg:rpm/suse/pcre2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4 pkg:rpm/suse/pcre2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL pkg:rpm/suse/pcre2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCL pkg:rpm/suse/pcre2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSS pkg:rpm/suse/pcre2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/pcre2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCL pkg:rpm/suse/pcre2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS pkg:rpm/suse/pcre2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCL pkg:rpm/suse/pcre2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSS pkg:rpm/suse/pcre2&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSS pkg:rpm/suse/pcre2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4 pkg:rpm/suse/pcre2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/pcre2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015 pkg:rpm/suse/pcre2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1 pkg:rpm/suse/pcre2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2 pkg:rpm/suse/pcre2&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5 pkg:rpm/suse/pcre2&distro=SUSE%20Manager%20Proxy%204.1 pkg:rpm/suse/pcre2&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1 pkg:rpm/suse/pcre2&distro=SUSE%20Manager%20Server%204.1 pkg:rpm/suse/pcre2&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/pcre2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 0+ 48 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 10.31-150000.3.12.1
- (no CPE)range: < 10.39-150400.4.6.1
- (no CPE)range: < 10.31-150000.3.12.1
- (no CPE)range: < 10.31-150000.3.12.1
- (no CPE)range: < 10.31-150000.3.12.1
- (no CPE)range: < 10.31-150000.3.12.1
- (no CPE)range: < 10.31-150000.3.12.1
- (no CPE)range: < 10.31-150000.3.12.1
- (no CPE)range: < 10.31-150000.3.12.1
- (no CPE)range: < 10.31-150000.3.12.1
- (no CPE)range: < 10.31-150000.3.12.1
- (no CPE)range: < 10.31-150000.3.12.1
- (no CPE)range: < 10.31-150000.3.12.1
- (no CPE)range: < 10.31-150000.3.12.1
- (no CPE)range: < 10.39-150400.4.6.1
- (no CPE)range: < 10.34-1.10.1
- (no CPE)range: < 10.34-1.10.1
- (no CPE)range: < 10.34-1.10.1
- (no CPE)range: < 10.34-1.10.1
- (no CPE)range: < 10.31-150000.3.12.1
- (no CPE)range: < 10.31-150000.3.12.1
- (no CPE)range: < 10.31-150000.3.12.1
- (no CPE)range: < 10.31-150000.3.12.1
- (no CPE)range: < 10.31-150000.3.12.1
- (no CPE)range: < 10.34-1.10.1
- (no CPE)range: < 10.34-1.10.1
- (no CPE)range: < 10.31-150000.3.12.1
- (no CPE)range: < 10.31-150000.3.12.1
- (no CPE)range: < 10.31-150000.3.12.1
- (no CPE)range: < 10.34-1.10.1
- (no CPE)range: < 10.31-150000.3.12.1
- (no CPE)range: < 10.31-150000.3.12.1
- (no CPE)range: < 10.31-150000.3.12.1
- (no CPE)range: < 10.34-1.10.1
- (no CPE)range: < 10.34-1.10.1

Patches

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000