CVE-2016-3191
PCRE Regular Expression Compilation Stack Buffer Overflow Remote Code Execution Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542.
La función compile_branch en pcre_compile.c en PCRE 8.x en versiones anteriores a 8.39 y pcre2_compile.c en PCRE2 en versiones anteriores a 10.22 no maneja correctamente patrones que contienen una subcadena (*ACCEPT) en conjunción con paréntesis anidados, lo que permite a atacantes remotos ejecutar código arbitrario o provocar una denegación de servicio (desbordamiento de buffer basado en pila) a través de una expresión regular manipuada, según lo demostrado por un objeto JavaScript RegExp encontrado por Konqueror, también conocido como ZDI-CAN-3542.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of PCRE. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the compilation of regular expressions. The issue lies in the failure to validate that compilation of sub-groups will occur within the bounds of a fixed-size stack buffer. An attacker can leverage this vulnerability to execute code within the context of the current process.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2016-03-15 CVE Reserved
- 2016-03-17 CVE Published
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- 2024-11-22 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-121: Stack-based Buffer Overflow
CAPEC
References (14)
| URL | Tag | Source |
|---|---|---|
| http://vcs.pcre.org/pcre2?view=revision&revision=489 | X_refsource_confirm | |
| http://vcs.pcre.org/pcre?view=revision&revision=1631 | X_refsource_confirm | |
| http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886 | X_refsource_confirm | |
| http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html | X_refsource_confirm |
|
| http://www.securityfocus.com/bid/84810 | Vdb Entry | |
| https://bto.bluecoat.com/security-advisory/sa128 | X_refsource_confirm | |
| https://bugs.debian.org/815920 | X_refsource_confirm | |
| https://bugs.debian.org/815921 | X_refsource_confirm | |
| https://www.tenable.com/security/tns-2016-18 | X_refsource_confirm |
| URL | Date | SRC |
|---|---|---|
| https://bugs.exim.org/show_bug.cgi?id=1791 | 2024-08-05 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2016-1025.html | 2018-01-05 | |
| https://access.redhat.com/errata/RHSA-2016:1132 | 2018-01-05 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1311503 | 2016-05-26 | |
| https://access.redhat.com/security/cve/CVE-2016-3191 | 2016-05-26 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Pcre Search vendor "Pcre" | Pcre Search vendor "Pcre" for product "Pcre" | 8.00 Search vendor "Pcre" for product "Pcre" and version "8.00" | - |
Affected
| ||||||
| Pcre Search vendor "Pcre" | Pcre Search vendor "Pcre" for product "Pcre" | 8.01 Search vendor "Pcre" for product "Pcre" and version "8.01" | - |
Affected
| ||||||
| Pcre Search vendor "Pcre" | Pcre Search vendor "Pcre" for product "Pcre" | 8.02 Search vendor "Pcre" for product "Pcre" and version "8.02" | - |
Affected
| ||||||
| Pcre Search vendor "Pcre" | Pcre Search vendor "Pcre" for product "Pcre" | 8.10 Search vendor "Pcre" for product "Pcre" and version "8.10" | - |
Affected
| ||||||
| Pcre Search vendor "Pcre" | Pcre Search vendor "Pcre" for product "Pcre" | 8.11 Search vendor "Pcre" for product "Pcre" and version "8.11" | - |
Affected
| ||||||
| Pcre Search vendor "Pcre" | Pcre Search vendor "Pcre" for product "Pcre" | 8.12 Search vendor "Pcre" for product "Pcre" and version "8.12" | - |
Affected
| ||||||
| Pcre Search vendor "Pcre" | Pcre Search vendor "Pcre" for product "Pcre" | 8.13 Search vendor "Pcre" for product "Pcre" and version "8.13" | - |
Affected
| ||||||
| Pcre Search vendor "Pcre" | Pcre Search vendor "Pcre" for product "Pcre" | 8.20 Search vendor "Pcre" for product "Pcre" and version "8.20" | - |
Affected
| ||||||
| Pcre Search vendor "Pcre" | Pcre Search vendor "Pcre" for product "Pcre" | 8.21 Search vendor "Pcre" for product "Pcre" and version "8.21" | - |
Affected
| ||||||
| Pcre Search vendor "Pcre" | Pcre Search vendor "Pcre" for product "Pcre" | 8.30 Search vendor "Pcre" for product "Pcre" and version "8.30" | - |
Affected
| ||||||
| Pcre Search vendor "Pcre" | Pcre Search vendor "Pcre" for product "Pcre" | 8.31 Search vendor "Pcre" for product "Pcre" and version "8.31" | - |
Affected
| ||||||
| Pcre Search vendor "Pcre" | Pcre Search vendor "Pcre" for product "Pcre" | 8.32 Search vendor "Pcre" for product "Pcre" and version "8.32" | - |
Affected
| ||||||
| Pcre Search vendor "Pcre" | Pcre Search vendor "Pcre" for product "Pcre" | 8.33 Search vendor "Pcre" for product "Pcre" and version "8.33" | - |
Affected
| ||||||
| Pcre Search vendor "Pcre" | Pcre Search vendor "Pcre" for product "Pcre" | 8.34 Search vendor "Pcre" for product "Pcre" and version "8.34" | - |
Affected
| ||||||
| Pcre Search vendor "Pcre" | Pcre Search vendor "Pcre" for product "Pcre" | 8.35 Search vendor "Pcre" for product "Pcre" and version "8.35" | - |
Affected
| ||||||
| Pcre Search vendor "Pcre" | Pcre Search vendor "Pcre" for product "Pcre" | 8.36 Search vendor "Pcre" for product "Pcre" and version "8.36" | - |
Affected
| ||||||
| Pcre Search vendor "Pcre" | Pcre Search vendor "Pcre" for product "Pcre" | 8.37 Search vendor "Pcre" for product "Pcre" and version "8.37" | - |
Affected
| ||||||
| Pcre Search vendor "Pcre" | Pcre Search vendor "Pcre" for product "Pcre" | 8.38 Search vendor "Pcre" for product "Pcre" and version "8.38" | - |
Affected
| ||||||
| Pcre Search vendor "Pcre" | Pcre2 Search vendor "Pcre" for product "Pcre2" | <= 10.21 Search vendor "Pcre" for product "Pcre2" and version " <= 10.21" | - |
Affected
| ||||||