Vendor
Pcre
Products
3
CVEs
30
Across products
46
Status
Private
Products
3- 37 CVEs
- 5 CVEs
- 4 CVEs
Recent CVEs
30| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-8786 | Cri | 0.64 | 9.8 | 0.01 | May 5, 2017 | pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression. | |
| CVE-2017-8399 | Cri | 0.64 | 9.8 | 0.03 | May 1, 2017 | PCRE2 before 10.30 has an out-of-bounds write caused by a stack-based buffer overflow in pcre2_match.c, related to a "pattern with very many captures." | |
| CVE-2015-3210 | Cri | 0.64 | 9.8 | 0.06 | Dec 13, 2016 | Heap-based buffer overflow in PCRE 8.34 through 8.37 and PCRE2 10.10 allows remote attackers to execute arbitrary code via a crafted regular expression, as demonstrated by /^(?P=B)((?P=B)(?J:(?P<B>c)(?P<B>a(?P=B)))>WGXCREDITS)/, a different vulnerability than CVE-2015-8384. | |
| CVE-2016-1283 | Cri | 0.64 | 9.8 | 0.03 | Jan 3, 2016 | The pcre_compile2 function in pcre_compile.c in PCRE 8.38 mishandles the /((?:F?+(?:^(?(R)a+\"){99}-))(?J)(?'R'(?'R'<((?'RR'(?'R'\){97)?J)?J)(?'R'(?'R'\){99|(:(?|(?'R')(\k'R')|((?'R')))H'R'R)(H'R))))))/ pattern and related patterns with named subgroups, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. | |
| CVE-2015-5073 | Cri | 0.59 | 9.1 | 0.01 | Dec 13, 2016 | Heap-based buffer overflow in the find_fixedlength function in pcre_compile.c in PCRE before 8.38 allows remote attackers to cause a denial of service (crash) or obtain sensitive information from heap memory and possibly bypass the ASLR protection mechanism via a crafted regular expression with an excess closing parenthesis. | |
| CVE-2017-7246 | Hig | 0.51 | 7.8 | 0.01 | Mar 23, 2017 | Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file. | |
| CVE-2017-7245 | Hig | 0.51 | 7.8 | 0.00 | Mar 23, 2017 | Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file. | |
| CVE-2017-11164 | Hig | 0.49 | 7.5 | 0.00 | Jul 11, 2017 | In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression. | |
| CVE-2017-7186 | Hig | 0.49 | 7.5 | 0.07 | Mar 20, 2017 | libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to cause a denial of service (segmentation violation for read access, and application crash) by triggering an invalid Unicode property lookup. | |
| CVE-2017-6004 | Hig | 0.49 | 7.5 | 0.04 | Feb 16, 2017 | The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted regular expression. | |
| CVE-2015-3217 | Hig | 0.49 | 7.5 | 0.01 | Dec 13, 2016 | PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\\.|([^\\\\W_])?)+)+$/. | |
| CVE-2014-9769 | Hig | 0.48 | 7.3 | 0.01 | Mar 28, 2016 | pcre_jit_compile.c in PCRE 8.35 does not properly use table jumps to optimize nested alternatives, which allows remote attackers to cause a denial of service (stack memory corruption) or possibly have unspecified other impact via a crafted string, as demonstrated by packets encountered by Suricata during use of a regular expression in an Emerging Threats Open ruleset. | |
| CVE-2017-7244 | Med | 0.36 | 5.5 | 0.01 | Mar 23, 2017 | The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file. | |
| CVE-2008-0674 | 0.02 | — | 0.21 | Feb 18, 2008 | Buffer overflow in PCRE before 7.6 allows remote attackers to execute arbitrary code via a regular expression containing a character class with a large number of characters with Unicode code points greater than 255. | ||
| CVE-2007-4768 | 0.01 | — | 0.10 | Nov 7, 2007 | Heap-based buffer overflow in Perl-Compatible Regular Expression (PCRE) library before 7.3 allows context-dependent attackers to execute arbitrary code via a singleton Unicode sequence in a character class in a regex pattern, which is incorrectly optimized. | ||
| CVE-2015-2328 | 0.00 | — | 0.03 | Dec 2, 2015 | PCRE before 8.36 mishandles the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. | ||
| CVE-2015-2327 | 0.00 | — | 0.03 | Dec 2, 2015 | PCRE before 8.36 mishandles the /(((a\2)|(a*)\g<-1>))*/ pattern and related patterns with certain internal recursive back references, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror. | ||
| CVE-2014-8964 | 0.00 | — | 0.02 | Dec 16, 2014 | Heap-based buffer overflow in PCRE 8.36 and earlier allows remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats. | ||
| CVE-2008-2371 | 0.00 | — | 0.04 | Jul 7, 2008 | Heap-based buffer overflow in pcre_compile.c in the Perl-Compatible Regular Expression (PCRE) library 7.7 allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a regular expression that begins with an option and contains multiple branches. | ||
| CVE-2006-7230 | 0.00 | — | 0.03 | Nov 15, 2007 | Perl-Compatible Regular Expression (PCRE) library before 7.0 does not properly calculate the amount of memory needed for a compiled regular expression pattern when the (1) -x or (2) -i UTF-8 options change within the pattern, which allows context-dependent attackers to cause a denial of service (PCRE or glibc crash) via crafted regular expressions. |