Pcre Pcre

Do you want an email whenever new security vulnerabilities are reported in any Pcre product?

Products by Pcre Sorted by Most Security Vulnerabilities since 2018

Pcre14 vulnerabilities

Pcre24 vulnerabilities

By the Year

In 2023 there have been 1 vulnerability in Pcre with an average score of 7.5 out of ten. Last year Pcre had 2 security vulnerabilities published. Right now, Pcre is on track to have less security vulnerabilities in 2023 than it did last year. Last year, the average CVE base score was greater by 1.60

Year Vulnerabilities Average Score
2023 1 7.50
2022 2 9.10
2021 0 0.00
2020 5 6.72
2019 0 0.00
2018 0 0.00

It may take a day or so for new Pcre vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Pcre Security Vulnerabilities

Integer overflow vulnerability in pcre2test before 10.41

CVE-2022-41409 7.5 - High - July 18, 2023

Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input.

Integer Overflow or Wraparound

An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file

CVE-2022-1587 9.1 - Critical - May 16, 2022

An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers.

Out-of-bounds Read

An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file

CVE-2022-1586 9.1 - Critical - May 16, 2022

An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.

Out-of-bounds Read

libpcre in PCRE before 8.44

CVE-2020-14155 5.3 - Medium - June 15, 2020

libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.

Integer Overflow or Wraparound

libpcre in PCRE before 8.43

CVE-2019-20838 7.5 - High - June 15, 2020

libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \X or \R has more than one fixed quantifier, a related issue to CVE-2019-20454.

Out-of-bounds Read

An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode

CVE-2019-20454 7.5 - High - February 14, 2020

An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c.

Out-of-bounds Read

The pcre_compile2 function in PCRE before 8.37 allows context-dependent attackers to compile incorrect code

CVE-2015-2326 5.5 - Medium - January 14, 2020

The pcre_compile2 function in PCRE before 8.37 allows context-dependent attackers to compile incorrect code and cause a denial of service (out-of-bounds read) via regular expression with a group containing both a forward referencing subroutine call and a recursive back reference, as demonstrated by "((?+1)(\1))/".

Out-of-bounds Read

The compile_branch function in PCRE before 8.37 allows context-dependent attackers to compile incorrect code, cause a denial of service (out-of-bounds heap read and crash), or possibly have other unspecified impact via a regular expression with a group containing a forward reference repeated a large number of times within a repeated outer group

CVE-2015-2325 7.8 - High - January 14, 2020

The compile_branch function in PCRE before 8.37 allows context-dependent attackers to compile incorrect code, cause a denial of service (out-of-bounds heap read and crash), or possibly have other unspecified impact via a regular expression with a group containing a forward reference repeated a large number of times within a repeated outer group that has a zero minimum quantifier.

Out-of-bounds Read

In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c

CVE-2017-11164 7.5 - High - July 11, 2017

In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.

Stack Exhaustion

The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE through 8.x before revision 1680 (e.g

CVE-2017-6004 7.5 - High - February 16, 2017

The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted regular expression.

Out-of-bounds Read

The pcre_compile2 function in pcre_compile.c in PCRE 8.38 mishandles the /((?:F?+(?:^(?(R)a+\"){99}-))(?J)(?'R'(?'R'<((?'RR'(?'R'\){97)?J)?J)(?'R'(?'R'\){99|(:(?|(?'R')(\k'R')|((?'R')))H'R'R)(H'R))))))/ pattern and related patterns with named subgroups, which

CVE-2016-1283 9.8 - Critical - January 03, 2016

The pcre_compile2 function in pcre_compile.c in PCRE 8.38 mishandles the /((?:F?+(?:^(?(R)a+\"){99}-))(?J)(?'R'(?'R'<((?'RR'(?'R'\){97)?J)?J)(?'R'(?'R'\){99|(:(?|(?'R')(\k'R')|((?'R')))H'R'R)(H'R))))))/ pattern and related patterns with named subgroups, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

Buffer Overflow

The pcre_compile function in pcre_compile.c in PCRE before 8.38 mishandles certain [: nesting, which

CVE-2015-8391 9.8 - Critical - December 02, 2015

The pcre_compile function in pcre_compile.c in PCRE before 8.38 mishandles certain [: nesting, which allows remote attackers to cause a denial of service (CPU consumption) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

Buffer Overflow

PCRE before 8.38 mishandles the (?(<digits>) and (?(R<digits>) conditions, which

CVE-2015-8394 9.8 - Critical - December 02, 2015

PCRE before 8.38 mishandles the (?(<digits>) and (?(R<digits>) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

Integer Overflow or Wraparound

PCRE before 8.38 mishandles the [: and \\ substrings in character classes, which

CVE-2015-8390 9.8 - Critical - December 02, 2015

PCRE before 8.38 mishandles the [: and \\ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

Use of Uninitialized Resource

PCRE before 8.38 mishandles the /(?:|a|){100}x/ pattern and related patterns, which

CVE-2015-8389 9.8 - Critical - December 02, 2015

PCRE before 8.38 mishandles the /(?:|a|){100}x/ pattern and related patterns, which allows remote attackers to cause a denial of service (infinite recursion) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

Buffer Overflow

PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine calls, which

CVE-2015-8387 7.3 - High - December 02, 2015

PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine calls, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

Integer Overflow or Wraparound

PCRE before 8.38 mishandles the interaction of lookbehind assertions and mutually recursive subpatterns, which

CVE-2015-8386 9.8 - Critical - December 02, 2015

PCRE before 8.38 mishandles the interaction of lookbehind assertions and mutually recursive subpatterns, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

Buffer Overflow

PCRE before 8.38 mishandles certain repeated conditional groups, which

CVE-2015-8383 9.8 - Critical - December 02, 2015

PCRE before 8.38 mishandles certain repeated conditional groups, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

Buffer Overflow

pcregrep in PCRE before 8.38 mishandles the -q option for binary files, which might allow remote attackers to obtain sensitive information via a crafted file, as demonstrated by a CGI script

CVE-2015-8393 7.5 - High - December 02, 2015

pcregrep in PCRE before 8.38 mishandles the -q option for binary files, which might allow remote attackers to obtain sensitive information via a crafted file, as demonstrated by a CGI script that sends stdout data to a client.

Information Disclosure

Heap-based buffer overflow in PCRE 8.36 and earlier allows remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion

CVE-2014-8964 - December 16, 2014

Heap-based buffer overflow in PCRE 8.36 and earlier allows remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats.

Buffer Overflow

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.