CVE-2022-1586

An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 53%
VendorProductVersion
pcrepcre2
𝑥
< 10.40
redhatenterprise_linux
8.0
redhatenterprise_linux
9.0
netappactive_iq_unified_manager
-
netapphci_management_node
-
netappontap_select_deploy_administration_utility
-
netappsolidfire
-
netapph300s_firmware
-
netapph500s_firmware
-
netapph700s_firmware
-
netapph410s_firmware
-
netapph410c_firmware
-
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
pcre2
bullseye
10.36-2+deb11u1
fixed
stretch
no-dsa
bookworm
10.42-1
fixed
sid
10.42-4
fixed
trixie
10.42-4
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
pcre2
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
Fixed 10.39-3ubuntu0.1
released
impish
ignored
focal
Fixed 10.34-7ubuntu0.1
released
bionic
Fixed 10.31-2ubuntu0.1~esm1
released
xenial
needs-triage
Common Weakness Enumeration
References
https://bugzilla.redhat.com/show_bug.cgi?id=2077976%2C
https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5cc55a%2C
https://github.com/PCRE2Project/pcre2/commit/d4fa336fbcc388f89095b184ba6d99422cfc676c
https://lists.debian.org/debian-lts-announce/2023/03/msg00014.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DWNG2NS3GINO6LQYUVC4BZLUQPJ3DYHA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXINO3KKI5DICQ45E2FKD6MKVMGJLEKJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAX7767BCUFC7JMDGP7GOQ5GIZCAUGBB/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M2GLQQUEY5VFM57CFYXVIFOXN2HUZPDM/
https://security.netapp.com/advisory/ntap-20221028-0009/
https://bugzilla.redhat.com/show_bug.cgi?id=2077976
https://bugzilla.redhat.com/show_bug.cgi?id=2077976%2C
https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5cc55a
https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5cc55a%2C
https://github.com/PCRE2Project/pcre2/commit/d4fa336fbcc388f89095b184ba6d99422cfc676c
https://lists.debian.org/debian-lts-announce/2023/03/msg00014.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DWNG2NS3GINO6LQYUVC4BZLUQPJ3DYHA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXINO3KKI5DICQ45E2FKD6MKVMGJLEKJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KAX7767BCUFC7JMDGP7GOQ5GIZCAUGBB/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M2GLQQUEY5VFM57CFYXVIFOXN2HUZPDM/
https://security.netapp.com/advisory/ntap-20221028-0009/