CVE-2019-20838

Name: CVE-2019-20838
Creator: NVD / NIST
Published: 2020-06-15T17:15:09.683+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 2.77%

Last modified Jun 17, 2026

CVE-2019-20838 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \X or \R has more than one fixed quantifier, a related issue to CVE-2019-20454.. EPSS estimates a 2.77% chance of exploitation in the next 30 days.

Description

libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \X or \R has more than one fixed quantifier, a related issue to CVE-2019-20454.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

2.77%

84.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-125

Affected Software

Vendor	Product	Versions
Pcre	Pcre	< 8.43
Apple	Macos	< 11.0.1
Splunk	Universal Forwarder	>= 8.2.0, < 8.2.12
Splunk	Universal Forwarder	>= 9.0.0, < 9.0.6
Splunk	Universal Forwarder	9.1.0

References

http://seclists.org/fulldisclosure/2020/Dec/32Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2021/Feb/14Mailing List, Third Party Advisory
https://bugs.gentoo.org/717920Issue Tracking, Patch, Third Party Advisory, VDB Entry
https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3EMailing List, Third Party Advisory
https://support.apple.com/kb/HT211931Vendor Advisory
https://support.apple.com/kb/HT212147Vendor Advisory
https://www.pcre.org/original/changelog.txtRelease Notes, Vendor Advisory
http://seclists.org/fulldisclosure/2020/Dec/32Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2021/Feb/14Mailing List, Third Party Advisory
https://bugs.gentoo.org/717920Issue Tracking, Patch, Third Party Advisory, VDB Entry
https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3EMailing List, Third Party Advisory
https://support.apple.com/kb/HT211931Vendor Advisory
https://support.apple.com/kb/HT212147Vendor Advisory
https://www.pcre.org/original/changelog.txtRelease Notes, Vendor Advisory

Timeline

Published: Jun 15, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2019-20838?

libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \X or \R has more than one fixed quantifier, a related issue to CVE-2019-20454.

How severe is CVE-2019-20838?

CVE-2019-20838 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 2.77% probability of exploitation in the next 30 days.

How do I fix CVE-2019-20838?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-20838?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST