CVE-2014-9654: Buffer Overflow
ICU could allow a remote attacker to execute arbitrary code on the system, caused by improper size limit checks when handling regular expressions. An attacker could exploit this vulnerability using specially crafted data to execute arbitrary code on the system with elevated privileges or cause the application using ICU to crash.
Other sources
The Regular Expressions package in International Components for Unicode (ICU) for C/C++ before 2014-12-03, as used in Google Chrome before 40.0.2214.91, calculates certain values without ensuring that they can be represented in a 24-bit field, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted string, a related issue to CVE-2014-7923.
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2014-9654?
CVE-2014-9654 has a high severity rating due to its potential to allow remote code execution.
How do I fix CVE-2014-9654?
To fix CVE-2014-9654, update Google Chrome to version 40.0.2214.86 or later and update ICU to version 55.1 or later.
Who is affected by CVE-2014-9654?
CVE-2014-9654 affects users of Google Chrome versions up to 40.0.2214.85 and ICU versions below 55.1.
What types of attacks can exploit CVE-2014-9654?
CVE-2014-9654 can be exploited through specially crafted data that triggers improper size limit checks in regular expressions.
Is CVE-2014-9654 easily exploitable?
Due to the nature of the vulnerability, CVE-2014-9654 can be easily exploited by an attacker with malicious intent.