CVE-2015-3217

NONE EPSS 92.6%
Published Dec 13, 20169y ago · Modified Jun 17, 20262w ago
Find Similar
Published Dec 13, 2016 9y ago
Last Modified Jun 17, 2026 2w ago

Description

PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\\.|([^\\\\W_])?)+)+$/.

Threat Intelligence

EPSS Exploit Probability
92.6% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Memory Safety

Affected Products 10

VendorProductVersionRange
pcrepcre210.10any
pcrepcre7.8any
pcrepcre8.32any
pcrepcre8.33any
pcrepcre8.34any
pcrepcre8.35any
pcrepcre8.36any
pcrepcre8.37any
ibmpowerkvm2.1any
ibmpowerkvm3.1any

References 10

  • rhn.redhat.com http://rhn.redhat.com/errata/RHSA-2016-1025.html
  • rhn.redhat.com http://rhn.redhat.com/errata/RHSA-2016-2750.html
  • vcs.pcre.org http://vcs.pcre.org/pcre?view=revision&revision=1566
    Patch
  • www-01.ibm.com http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886
    Third Party Advisory
  • openwall.com http://www.openwall.com/lists/oss-security/2015/06/03/7
    Mailing List
  • oracle.com http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
  • securityfocus.com http://www.securityfocus.com/bid/75018
    Third Party AdvisoryVDB Entry
  • access.redhat.com https://access.redhat.com/errata/RHSA-2016:1132
  • bugs.exim.org https://bugs.exim.org/show_bug.cgi?id=1638
    ExploitIssue TrackingVendor Advisory
  • bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=1228283
    Issue Tracking

Remediation

  • vcs.pcre.org http://vcs.pcre.org/pcre?view=revision&revision=1566
    Patch