CVE-2019-20454: High severity PCRE pcre2 vulnerability

Published Jul 28, 2019
·
Updated

A flaw was found in libpcre. A buffer overread in JIT mode when \X is used in non-UTF mode may cause application crash and denial of service. The flaw is in function doextuninoutf() in pcre2jitcompile.c, which uses the macro GETCHARINC to read a character. However, in case there is an invalid UTF character the value read is too big, which causes an out-of-bounds read in the next statement, while executing macro UCDGRAPHBREAK.

References:

https://bugs.exim.org/showbug.cgi?id=2421 https://bugzilla.redhat.com/showbug.cgi?id=1734468

Upstream patch:

http://git.php.net/?p=php-src.git;a=commitdiff;h=8947fd9e9fdce87cd6c59817b1db58e789538fe9

Other sources

An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in doextuninoutf in pcre2jitcompile.c.

An out-of-bounds read was discovered in PCRE when the pattern "\X" is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to crash the application.

Affected Software

7 affected componentsFixes available
redhat/pcre2<0:10.32-2.el8
0:10.32-2.el8
redhat/pcre<10.34
10.34
PCRE pcre2>=10.31<10.34
Fedoraproject Fedora=31
Splunk Universal Forwarder>=8.2.0<8.2.12
Splunk Universal Forwarder>=9.0.0<9.0.6
Splunk Universal Forwarder=9.1.0

Remediation

Patch Available

https://bugzilla.redhat.com/show_bug.cgi?id=1735494

Patch Available

https://vcs.pcre.org/pcre2?view=revision&revision=1092

Event History

Jul 28, 2019
CVE Published
12:00 AM
Aug 1, 2019
Data Sourced
via Red Hat·01:28 AM
DescriptionSeverityAffected Software
Feb 14, 2020
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
DescriptionSeverity

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2019-20454?

CVE-2019-20454 is an out-of-bounds read vulnerability in PCRE that can lead to application crashes.

2

How does CVE-2019-20454 affect PCRE?

CVE-2019-20454 affects PCRE versions before 10.34 when the \X pattern is JIT compiled and used to match specially crafted subjects in non-UTF mode.

3

What is the severity of CVE-2019-20454?

CVE-2019-20454 has a severity rating of 7.5 (high).

4

How can CVE-2019-20454 be exploited?

CVE-2019-20454 can be exploited by an attacker using specially crafted subjects to crash applications that use PCRE for parsing untrusted input.

5

Is there a fix for CVE-2019-20454?

Yes, PCRE version 10.34 or higher includes a fix for CVE-2019-20454.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203