CVE-2019-13224

Name: CVE-2019-13224
Creator: NVD / NIST
Published: 2019-07-10T14:15:11.607+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 4.05%

Last modified Jun 17, 2026

CVE-2019-13224 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). EPSS estimates a 4.05% chance of exploitation in the next 30 days.

Description

A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

4.05%

89.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-416

Affected Software

Vendor	Product	Versions
Oniguruma Project	Oniguruma	6.9.2
Php	Php	>= 7.1.0, < 7.1.32
Php	Php	>= 7.2.0, < 7.2.23
Php	Php	>= 7.3.0, < 7.3.9
Fedoraproject	Fedora	29
Fedoraproject	Fedora	30
Debian	Debian Linux	8.0
Canonical	Ubuntu Linux	12.04
Canonical	Ubuntu Linux	14.04

References

https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55Patch, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/07/msg00013.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWCPDTZOIUKGMFAD5NAKUB7FPJFAIQN5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNL26OZSQRVLEO6JRNUVIMZTICXBNEQW/
https://security.gentoo.org/glsa/201911-03Third Party Advisory
https://support.f5.com/csp/article/K00103182Third Party Advisory
https://support.f5.com/csp/article/K00103182?utm_source=f5support&amp%3Butm_medium=RSS
https://usn.ubuntu.com/4088-1/Third Party Advisory
https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55Patch, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/07/msg00013.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWCPDTZOIUKGMFAD5NAKUB7FPJFAIQN5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNL26OZSQRVLEO6JRNUVIMZTICXBNEQW/
https://security.gentoo.org/glsa/201911-03Third Party Advisory
https://support.f5.com/csp/article/K00103182Third Party Advisory
https://support.f5.com/csp/article/K00103182?utm_source=f5support&amp%3Butm_medium=RSS
https://usn.ubuntu.com/4088-1/Third Party Advisory

Timeline

Published: Jul 10, 2019
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2019-13224?

How severe is CVE-2019-13224?

CVE-2019-13224 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 4.05% probability of exploitation in the next 30 days.

How do I fix CVE-2019-13224?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-13224?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST