LAYER: meta PACKAGE NAME: libpcre2 PACKAGE VERSION: 10.43 CVE: CVE-2015-3210 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in PCRE 8.34 through 8.37 and PCRE2 10.10 allows remote attackers to execute arbitrary code via a crafted regular expression, as demonstrated by /^(?P=B)((?P=B)(?J:(?Pc)(?Pa(?P=B)))>WGXCREDITS)/, a different vulnerability than CVE-2015-8384. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3210 LAYER: meta PACKAGE NAME: libpcre2 PACKAGE VERSION: 10.43 CVE: CVE-2015-3217 CVE STATUS: Patched CVE SUMMARY: PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\\.|([^\\\\W_])?)+)+$/. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3217 LAYER: meta PACKAGE NAME: libpcre2 PACKAGE VERSION: 10.43 CVE: CVE-2016-3191 CVE STATUS: Patched CVE SUMMARY: The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3191 LAYER: meta PACKAGE NAME: libpcre2 PACKAGE VERSION: 10.43 CVE: CVE-2017-7186 CVE STATUS: Patched CVE SUMMARY: libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attackers to cause a denial of service (segmentation violation for read access, and application crash) by triggering an invalid Unicode property lookup. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7186 LAYER: meta PACKAGE NAME: libpcre2 PACKAGE VERSION: 10.43 CVE: CVE-2017-8399 CVE STATUS: Patched CVE SUMMARY: PCRE2 before 10.30 has an out-of-bounds write caused by a stack-based buffer overflow in pcre2_match.c, related to a "pattern with very many captures." CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8399 LAYER: meta PACKAGE NAME: libpcre2 PACKAGE VERSION: 10.43 CVE: CVE-2017-8786 CVE STATUS: Patched CVE SUMMARY: pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8786 LAYER: meta PACKAGE NAME: libpcre2 PACKAGE VERSION: 10.43 CVE: CVE-2019-20454 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 5.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20454 LAYER: meta PACKAGE NAME: libpcre2 PACKAGE VERSION: 10.43 CVE: CVE-2022-1586 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1586 LAYER: meta PACKAGE NAME: libpcre2 PACKAGE VERSION: 10.43 CVE: CVE-2022-1587 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1587 LAYER: meta PACKAGE NAME: libpcre2 PACKAGE VERSION: 10.43 CVE: CVE-2022-41409 CVE STATUS: Patched CVE SUMMARY: Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 CVSS v4 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-41409 LAYER: meta PACKAGE NAME: libpcre2 PACKAGE VERSION: 10.43 CVE: CVE-2025-58050 CVE STATUS: Patched CVE SUMMARY: The PCRE2 library is a set of C functions that implement regular expression pattern matching. In version 10.45, a heap-buffer-overflow read vulnerability exists in the PCRE2 regular expression matching engine, specifically within the handling of the (*scs:...) (Scan SubString) verb when combined with (*ACCEPT) in src/pcre2_match.c. This vulnerability may potentially lead to information disclosure if the out-of-bounds data read during the memcmp affects the final match result in a way observable by the attacker. This issue has been resolved in version 10.46. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 9.1 CVSS v4 BASE SCORE: 6.9 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2025-58050