CVE-2016-3191
Last modified
CVE-2016-3191 is a vulnerability of currently unknown severity. The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542.. EPSS estimates a 8.43% chance of exploitation in the next 30 days.
Description
The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Pcre | Pcre | 8.00 |
| Pcre | Pcre | 8.01 |
| Pcre | Pcre | 8.02 |
| Pcre | Pcre | 8.10 |
| Pcre | Pcre | 8.11 |
| Pcre | Pcre | 8.12 |
| Pcre | Pcre | 8.13 |
| Pcre | Pcre | 8.20 |
| Pcre | Pcre | 8.21 |
| Pcre | Pcre | 8.30 |
| Pcre | Pcre | 8.31 |
| Pcre | Pcre | 8.32 |
| Pcre | Pcre | 8.33 |
| Pcre | Pcre | 8.34 |
| Pcre | Pcre | 8.35 |
| Pcre | Pcre | 8.36 |
| Pcre | Pcre | 8.37 |
| Pcre | Pcre | 8.38 |
| Pcre | Pcre2 | <= 10.21 |
References
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2016-3191?
How severe is CVE-2016-3191?
How do I fix CVE-2016-3191?
Are you affected by CVE-2016-3191?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST