CVE-2022-1586 Overview
An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.
Critical Impact
This vulnerability allows remote attackers to trigger out-of-bounds memory reads via specially crafted regular expressions, potentially leading to information disclosure or application crashes affecting numerous systems and applications that depend on the PCRE2 library.
Affected Products
- PCRE PCRE2 (all versions prior to patch)
- Fedora 35 and 36
- Red Hat Enterprise Linux 8.0 and 9.0
- NetApp Active IQ Unified Manager, HCI Management Node, ONTAP Select Deploy Administration Utility, SolidFire
- NetApp H-Series Storage Systems (H300S, H500S, H700S, H410S, H410C) and associated firmware
- Debian Linux 10.0
Discovery Timeline
- 2022-05-16 - CVE-2022-1586 published to NVD
- 2025-03-25 - Last updated in NVD database
Technical Details for CVE-2022-1586
Vulnerability Analysis
The vulnerability resides in the PCRE2 library's Just-In-Time (JIT) compilation engine, specifically within the compile_xclass_matchingpath() function in pcre2_jit_compile.c. When processing unicode property matching with case-less (case-insensitive) operations, the JIT compiler fails to fully read character data before performing comparisons.
This out-of-bounds read condition (CWE-125) occurs during the processing of character class matching in JIT-compiled regular expressions. The flaw manifests when the library attempts to handle PT_CLIST (property character list) operations without properly validating the preceding opcode type. As a result, the JIT engine may read memory beyond allocated boundaries when processing specially crafted regex patterns involving unicode properties and caseless matching.
The vulnerability is exploitable remotely over the network without requiring authentication or user interaction. Successful exploitation can lead to disclosure of sensitive memory contents or denial of service through application crashes.
Root Cause
The root cause lies in an incorrect conditional check within the JIT compilation logic. The original code checked *cc == PT_CLIST without properly verifying that the preceding operation was XCL_PROP. This caused the JIT compiler to incorrectly access memory when processing certain unicode property patterns in caseless matching mode.
The faulty logic in compile_xclass_matchingpath() would proceed with reading from PRIV(ucd_caseless_sets) based on an invalid pointer offset, leading to out-of-bounds memory access.
Attack Vector
The attack vector is network-based, allowing remote exploitation. An attacker can exploit this vulnerability by:
- Crafting a malicious regular expression pattern that includes unicode property matching with caseless flag
- Submitting this pattern to an application that uses PCRE2 with JIT compilation enabled
- Triggering the JIT compilation path to process the malicious pattern
- Causing the out-of-bounds read condition to execute, potentially leaking memory contents or crashing the application
Applications commonly affected include web servers, text processing utilities, email filters, intrusion detection systems, and any software that accepts user-supplied regular expressions and compiles them with PCRE2 JIT.
// Original vulnerable code in src/pcre2_jit_compile.c
{
SLJIT_ASSERT(*cc == XCL_PROP || *cc == XCL_NOTPROP);
cc++;
- if (*cc == PT_CLIST)
+ if (*cc == PT_CLIST && cc[-1] == XCL_PROP)
{
other_cases = PRIV(ucd_caseless_sets) + cc[1];
while (*other_cases != NOTACHAR)
Source: GitHub PCRE2 Commit
The fix adds a proper check to ensure cc[-1] == XCL_PROP before proceeding with the caseless character set processing, preventing the out-of-bounds read.
Detection Methods for CVE-2022-1586
Indicators of Compromise
- Unexpected application crashes in services using PCRE2 library with JIT enabled
- Memory access violations or segmentation faults in regex processing components
- Abnormal memory dumps or core files indicating out-of-bounds read operations in pcre2_jit_compile.c
- Unusual regex patterns being submitted to applications, particularly those with unicode property syntax
Detection Strategies
- Monitor application logs for PCRE2-related crashes or memory errors during regex compilation
- Implement input validation to detect potentially malicious regex patterns with unicode property matching constructs
- Use memory sanitizers (AddressSanitizer, Valgrind) in development environments to detect out-of-bounds reads
- Deploy runtime application self-protection (RASP) solutions to detect abnormal memory access patterns
Monitoring Recommendations
- Enable detailed logging for applications accepting user-supplied regular expressions
- Configure crash reporting to capture stack traces involving PCRE2 library functions
- Monitor system memory usage for anomalies that may indicate exploitation attempts
- Implement alerting for repeated regex compilation failures or exceptions
How to Mitigate CVE-2022-1586
Immediate Actions Required
- Update PCRE2 library to the latest patched version immediately
- If immediate patching is not possible, disable JIT compilation in PCRE2 by not using PCRE2_JIT_COMPLETE, PCRE2_JIT_PARTIAL_SOFT, or PCRE2_JIT_PARTIAL_HARD flags
- Review and restrict sources of user-supplied regular expressions
- Apply vendor-specific patches from Red Hat, Fedora, Debian, and NetApp as appropriate for your environment
Patch Information
The vulnerability has been addressed through official patches committed to the PCRE2 project repository. The fix modifies the conditional check in compile_xclass_matchingpath() to properly validate the opcode type before processing caseless character matching.
Key patches are available at:
Distribution-specific updates:
Workarounds
- Disable PCRE2 JIT compilation to avoid the vulnerable code path entirely
- Implement strict input validation and sanitization for all user-supplied regular expressions
- Use regex complexity limits to reject patterns that may be crafted to exploit this vulnerability
- Consider using alternative regex engines that are not affected if PCRE2 cannot be updated
# Example: Disable JIT in applications using PCRE2 (configuration varies by application)
# For PHP applications, add to php.ini:
pcre.jit=0
# For applications with PCRE2 compile-time options, rebuild without JIT:
./configure --disable-jit
make && make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
