CVE-2017-9228

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2017-9228
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-9228.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2017-9228
Downstream
Related
Published
2017-05-24T15:29:00.370Z
Modified
2026-02-14T07:18:44.397359Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitsetsetrange() during regular expression compilation due to an uninitialized variable from an incorrect state transition. An incorrect state transition in parsecharclass() could create an execution path that leaves a critical local variable uninitialized until it's used as an index, resulting in an out-of-bounds write memory corruption.

References

Affected packages

Git / github.com/php/php-src

Affected ranges

Type
GIT
Repo
https://github.com/php/php-src
Events
Introduced
0221e9f827632942225586687a33cfd554860d5e
Fixed
73915a2bd61f21fd809b4d50af9aba950f43e807
Introduced
60fffd296abce5fc071f3c173c25a2696cf683c6
Fixed
8a79ce6c8b9d309573993ce332f3951ea1947e2f
Introduced
fc1df8e7a6886e29a6ed5bef3f674ac61164e847
Fixed
de96a08a90e480f1afb655bcfeac8ac28a14228e

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-9228.json"
vanir_signatures 
[
    {
        "digest": {
            "function_hash": "233037532068098537505988791132617368492",
            "length": 13872.0
        },
        "signature_version": "v1",
        "target": {
            "file": "ext/pcre/pcrelib/pcre_jit_compile.c",
            "function": "compile_bracket_matchingpath"
        },
        "signature_type": "Function",
        "id": "CVE-2017-9228-343f4c1a",
        "source": "https://github.com/php/php-src/commit/73915a2bd61f21fd809b4d50af9aba950f43e807",
        "deprecated": false
    },
    {
        "digest": {
            "line_hashes": [
                "41612049881914751775057704412356952022",
                "206133687184829194312361432760839012982",
                "60469889591596012334583203454317370370",
                "317056786488417399517652373716894105276"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "target": {
            "file": "ext/pcre/pcrelib/pcre_jit_compile.c"
        },
        "signature_type": "Line",
        "id": "CVE-2017-9228-cfd9dfdb",
        "source": "https://github.com/php/php-src/commit/73915a2bd61f21fd809b4d50af9aba950f43e807",
        "deprecated": false
    }
]