CVE-2017-9229

Published: May 24, 2017Modified: May 13, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV occurs in left_adjust_char_head() during regular expression compilation. Invalid handling of reg->dmax in forward_search_range() could result in an invalid pointer dereference, normally as an immediate denial-of-service condition.

Affected (6)

Products: Oniguruma Project: Oniguruma · Php: Php · Ruby Lang: Ruby

Oniguruma Project

1 product

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Oniguruma Project Oniguruma	Version 6.2.0

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Php Php	Up to 7.1.5
Ruby Lang Ruby	Up to 2.4.1

Configuration C

3 vulnerable

Vulnerable Software	Affected Versions
Php Php	From 5.6.0 to 5.6.31
Php Php	From 7.0.0 to 7.0.21
Php Php	From 7.1.0 to 7.1.7

Related CWEs

NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

References (6)

https://access.redhat.com/errata/RHSA-2018:1296

Source: cve@mitre.org

Third Party Advisory

https://github.com/kkos/oniguruma/commit/b690371bbf97794b4a1d3f295d4fb9a8b05d402d

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/kkos/oniguruma/issues/59

Source: cve@mitre.org

ExploitThird Party Advisory

https://access.redhat.com/errata/RHSA-2018:1296

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://github.com/kkos/oniguruma/commit/b690371bbf97794b4a1d3f295d4fb9a8b05d402d

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/kkos/oniguruma/issues/59

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.