Upcoming security release 10.46
27 views
Skip to first unread message
Nicholas Wilson
Aug 27, 2025, 7:02:50 AM (13 days ago) Aug 27
to PCRE2 discussion list
Dear all,
A relatively small security issue has been reported in PCRE2. It is a read-past-the-end memory error, of arbitrary length. An attacker-controlled regex pattern is required, and it cannot be triggered by providing crafted subject (match) text.
This could have implications of denial-of-service or information disclosure, and could potentially be used to escalate other vulnerabilities in a system (such as information disclosure being used to escalate the severity of an unrelated bug in another system).
I have decided to release the fix without waiting for our next scheduled release.
The 10.46 release will contain only the three-line code change necessary to fix the bug. I would recommend that users update from 10.45 to 10.46 at their earliest convenience.
I will request a CVE.
This bug report is credited to the Google Big Sleep project (many thanks).
With my apologies,
Nick Wilson
Nicholas Wilson
Aug 27, 2025, 12:47:44 PM (13 days ago) Aug 27
to PCRE2 discussion list
I have now published this release on GitHub:
Please let me know if you encounter any issues, or wish to provide feedback on the process for this security release.
All the best,
Nick Wilson
enh
Aug 28, 2025, 9:28:44 AM (12 days ago) Aug 28
to Nicholas Wilson, PCRE2 discussion list
i wish i'd realized this was a _new_ bug in 10.45 --- i'd have updated
android straight from 10.44 to 10.46 if i'd known! (as it is, i
updated to 10.45 yesterday to make the 10.46 update easier to backport
based on the "only the three-line code change necessary".)
hopefully this helps someone else!
> --
> You received this message because you are subscribed to the Google Groups "PCRE2 discussion list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to pcre2-dev+...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/pcre2-dev/fed275b7-f3bf-4d16-866a-653d14eb3752n%40googlegroups.com.
android straight from 10.44 to 10.46 if i'd known! (as it is, i
updated to 10.45 yesterday to make the 10.46 update easier to backport
based on the "only the three-line code change necessary".)
hopefully this helps someone else!
> You received this message because you are subscribed to the Google Groups "PCRE2 discussion list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to pcre2-dev+...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/pcre2-dev/fed275b7-f3bf-4d16-866a-653d14eb3752n%40googlegroups.com.
Giuseppe D'Angelo
Aug 29, 2025, 5:56:58 AM (11 days ago) Aug 29
to Nicholas Wilson, PCRE2 discussion list
Hi,
Thank you very much for the prompt release and notification mechanism!
I've already integrated 10.46 in Qt without issues (was already at 10.45).
I'd like to take the opportunity to actually remark that allowing attacker-controlled patterns is, in general, a bad idea.
https://www.pcre.org/current/doc/html/pcre2.html#SEC2 has some notes; the point is that even legitimate patterns can potentially be used to DOS an application.
For this reason we try to warn Qt users not to use patterns coming from untrusted sources.
--
You received this message because you are subscribed to the Google Groups "PCRE2 discussion list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pcre2-dev+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/pcre2-dev/c5f13cc6-3234-4e05-a864-dc221cd94568n%40googlegroups.com.
--
Giuseppe D'Angelo
Reply all
Reply to author
Forward
0 new messages