CVE-2015-8386
📋 TL;DR
This vulnerability in PCRE (Perl Compatible Regular Expressions) library allows remote attackers to cause a buffer overflow via specially crafted regular expressions. The flaw occurs when lookbehind assertions interact with mutually recursive subpatterns, potentially leading to denial of service or arbitrary code execution. Systems using vulnerable PCRE versions in applications like Konqueror browser are affected.
💻 Affected Systems
- PCRE library
- Konqueror browser
- Applications using PCRE for regex processing
📦 What is this software?
Fedora by Fedoraproject
Linux by Oracle
Perl Compatible Regular Expression Library by Pcre
View all CVEs affecting Perl Compatible Regular Expression Library →
Php by Php
Php by Php
Php by Php
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise
Likely Case
Denial of service through application crashes
If Mitigated
Application crash with no privilege escalation
🎯 Exploit Status
Demonstrated via JavaScript RegExp in Konqueror; similar exploitation possible in other contexts
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PCRE 8.38 and later
Vendor Advisory: http://rhn.redhat.com/errata/RHSA-2016-1025.html
Restart Required: Yes
Instructions:
1. Update PCRE to version 8.38 or later
2. Update all applications using PCRE
3. Restart affected services
4. Verify with version check
🔧 Temporary Workarounds
Disable regex processing in vulnerable applications
allConfigure applications to avoid using PCRE for regex processing where possible
Application-specific configuration changes required
Input validation for regex patterns
allImplement strict validation and sanitization of user-supplied regular expressions
Implement regex pattern validation in application code
🧯 If You Can't Patch
- Implement network segmentation to isolate vulnerable systems
- Deploy web application firewall with regex pattern blocking
🔍 How to Verify
Check if Vulnerable:
Check PCRE version: pcretest -C | grep 'PCRE version'Check Version:
pcretest -C | grep 'PCRE version'Verify Fix Applied:
Verify PCRE version is 8.38 or higher📡 Detection & Monitoring
Log Indicators:
- Application crashes
- Segmentation faults in regex processing
- Memory violation errors
Network Indicators:
- Unusual regex patterns in web requests
- Repeated regex-related requests
SIEM Query:
source="application_logs" AND ("segmentation fault" OR "buffer overflow") AND "regex"🔗 References
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html
- http://rhn.redhat.com/errata/RHSA-2016-1025.html
- http://rhn.redhat.com/errata/RHSA-2016-2750.html
- http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup
- http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886
- http://www.openwall.com/lists/oss-security/2015/11/29/1
- http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
- http://www.securityfocus.com/bid/82990
- https://access.redhat.com/errata/RHSA-2016:1132
- https://bto.bluecoat.com/security-advisory/sa128
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731
- https://security.gentoo.org/glsa/201607-02
- https://security.netapp.com/advisory/ntap-20230216-0002/
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html
- http://rhn.redhat.com/errata/RHSA-2016-1025.html
- http://rhn.redhat.com/errata/RHSA-2016-2750.html
- http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup
- http://www-01.ibm.com/support/docview.wss?uid=isg3T1023886
- http://www.openwall.com/lists/oss-security/2015/11/29/1
- http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
- http://www.securityfocus.com/bid/82990
- https://access.redhat.com/errata/RHSA-2016:1132
- https://bto.bluecoat.com/security-advisory/sa128
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731
- https://security.gentoo.org/glsa/201607-02
- https://security.netapp.com/advisory/ntap-20230216-0002/
