U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:pcre:pcre:1.01:*:*:*:*:*:*:*
There are 20 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2020-14155

libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.

Published: June 15, 2020; 1:15:10 PM -0400
V3.1: 5.3 MEDIUM
V2.0: 5.0 MEDIUM
CVE-2019-20838

libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \X or \R has more than one fixed quantifier, a related issue to CVE-2019-20454.

Published: June 15, 2020; 1:15:09 PM -0400
V3.1: 7.5 HIGH
V2.0: 4.3 MEDIUM
CVE-2015-2326

The pcre_compile2 function in PCRE before 8.37 allows context-dependent attackers to compile incorrect code and cause a denial of service (out-of-bounds read) via regular expression with a group containing both a forward referencing subroutine call and a recursive back reference, as demonstrated by "((?+1)(\1))/".

Published: January 14, 2020; 12:15:12 PM -0500
V3.1: 5.5 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2015-2325

The compile_branch function in PCRE before 8.37 allows context-dependent attackers to compile incorrect code, cause a denial of service (out-of-bounds heap read and crash), or possibly have other unspecified impact via a regular expression with a group containing a forward reference repeated a large number of times within a repeated outer group that has a zero minimum quantifier.

Published: January 14, 2020; 12:15:12 PM -0500
V3.1: 7.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2017-6004

The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted regular expression.

Published: February 16, 2017; 6:59:00 AM -0500
V3.0: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2015-5073

Heap-based buffer overflow in the find_fixedlength function in pcre_compile.c in PCRE before 8.38 allows remote attackers to cause a denial of service (crash) or obtain sensitive information from heap memory and possibly bypass the ASLR protection mechanism via a crafted regular expression with an excess closing parenthesis.

Published: December 13, 2016; 11:59:06 AM -0500
V3.0: 9.1 CRITICAL
V2.0: 6.4 MEDIUM
CVE-2015-8391

The pcre_compile function in pcre_compile.c in PCRE before 8.38 mishandles certain [: nesting, which allows remote attackers to cause a denial of service (CPU consumption) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

Published: December 01, 2015; 8:59:15 PM -0500
V3.1: 9.8 CRITICAL
V2.0: 9.0 HIGH
CVE-2015-2328

PCRE before 8.36 mishandles the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

Published: December 01, 2015; 8:59:01 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2014-8964

Heap-based buffer overflow in PCRE 8.36 and earlier allows remote attackers to cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats.

Published: December 16, 2014; 1:59:10 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2008-0674

Buffer overflow in PCRE before 7.6 allows remote attackers to execute arbitrary code via a regular expression containing a character class with a large number of characters with Unicode code points greater than 255.

Published: February 18, 2008; 6:00:00 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2006-7230

Perl-Compatible Regular Expression (PCRE) library before 7.0 does not properly calculate the amount of memory needed for a compiled regular expression pattern when the (1) -x or (2) -i UTF-8 options change within the pattern, which allows context-dependent attackers to cause a denial of service (PCRE or glibc crash) via crafted regular expressions.

Published: November 15, 2007; 2:46:00 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2006-7227

Integer overflow in Perl-Compatible Regular Expression (PCRE) library before 6.7 allows context-dependent attackers to execute arbitrary code via a regular expression containing a large number of named subpatterns (name_count) or long subpattern names (max_name_size), which triggers a buffer overflow. NOTE: this issue was originally subsumed by CVE-2006-7224, but that CVE has been REJECTED and split.

Published: November 14, 2007; 4:46:00 PM -0500
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2006-7228

Integer overflow in Perl-Compatible Regular Expression (PCRE) library before 6.7 might allow context-dependent attackers to execute arbitrary code via a regular expression that involves large (1) min, (2) max, or (3) duplength values that cause an incorrect length calculation and trigger a buffer overflow, a different vulnerability than CVE-2006-7227. NOTE: this issue was originally subsumed by CVE-2006-7224, but that CVE has been REJECTED and split.

Published: November 14, 2007; 4:46:00 PM -0500
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2007-1659

Perl-Compatible Regular Expression (PCRE) library before 7.3 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via regex patterns containing unmatched "\Q\E" sequences with orphan "\E" codes.

Published: November 07, 2007; 6:46:00 PM -0500
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2007-1660

Perl-Compatible Regular Expression (PCRE) library before 7.0 does not properly calculate sizes for unspecified "multiple forms of character class", which triggers a buffer overflow that allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code.

Published: November 07, 2007; 6:46:00 PM -0500
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2007-1662

Perl-Compatible Regular Expression (PCRE) library before 7.3 reads past the end of the string when searching for unmatched brackets and parentheses, which allows context-dependent attackers to cause a denial of service (crash), possibly involving forward references.

Published: November 07, 2007; 6:46:00 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2007-4766

Multiple integer overflows in Perl-Compatible Regular Expression (PCRE) library before 7.3 allow context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via unspecified escape (backslash) sequences.

Published: November 07, 2007; 6:46:00 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2007-4767

Perl-Compatible Regular Expression (PCRE) library before 7.3 does not properly compute the length of (1) a \p sequence, (2) a \P sequence, or (3) a \P{x} sequence, which allows context-dependent attackers to cause a denial of service (infinite loop or crash) or execute arbitrary code.

Published: November 07, 2007; 6:46:00 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2007-4768

Heap-based buffer overflow in Perl-Compatible Regular Expression (PCRE) library before 7.3 allows context-dependent attackers to execute arbitrary code via a singleton Unicode sequence in a character class in a regex pattern, which is incorrectly optimized.

Published: November 07, 2007; 6:46:00 PM -0500
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2005-4872

Perl-Compatible Regular Expression (PCRE) library before 6.2 does not properly count the number of named capturing subpatterns, which allows context-dependent attackers to cause a denial of service (crash) via a regular expression with a large number of named subpatterns, which triggers a buffer overflow. NOTE: this issue was originally subsumed by CVE-2006-7224, but that CVE has been REJECTED and split.

Published: December 31, 2005; 12:00:00 AM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM