CVE-2025-58050

The PCRE2 library is a set of C functions that implement regular expression pattern matching. In version 10.45, a heap-buffer-overflow read vulnerability exists in the PCRE2 regular expression matching engine, specifically within the handling of the (scs:...) (Scan SubString) verb when combined with (ACCEPT) in src/pcre2_match.c. This vulnerability may potentially lead to information disclosure if the out-of-bounds data read during the memcmp affects the final match result in a way observable by the attacker. This issue has been resolved in version 10.46.

References

Affected packages

Debian:13 / pcre2

Package

Name: pcre2
Purl: pkg:deb/debian/pcre2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

10.*

10.45-1

10.46-1~deb13u1

10.46-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / pcre2

Package

Name: pcre2
Purl: pkg:deb/debian/pcre2?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

10.46-1

Affected versions

10.*

10.45-1

10.46-1~deb13u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/pcre2project/pcre2

Affected ranges

Type: GIT
Repo: https://github.com/pcre2project/pcre2
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

a141712e5967d448c7ce13090ab530c8e3d82254

Affected versions

pcre2-10.*

pcre2-10.38

pcre2-10.38-RC1

pcre2-10.39

pcre2-10.40

pcre2-10.41

pcre2-10.42

pcre2-10.43

pcre2-10.43-RC1

pcre2-10.44

pcre2-10.45