Out-of-bounds read in PCRE

#VU7565 Out-of-bounds read in PCRE

Published: 2017-07-18 | Updated: 2017-08-23

Vulnerability identifier: #VU7565

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2017-7244

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
PCRE
Universal components / Libraries / Libraries used by multiple products

Vendor: PCRE

Description
The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to invalid memory read flaw in the _pcre32_xclass function in pcre_xclass.c. A remote attacker can trick the victim into loading a specially crafted file and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

Mitigation
Update to version 8.41 (not released at the moment)

Vulnerable software versions

PCRE: 8.40

Fixed software versions

CPE

cpe:2.3:a:pcre:pcre:8.40:*:*:*:*:*:*:*

External links
http://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Multiple vulnerabilities in DELL Secure Connect Gateway Security

SUSE update for pcre

Gentoo update for PCRE

Out-of-bounds read in pcre (Alpine package)

Arch Linux update for pcre