Login Sign Up

CVE-2019-20838

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in libpcre (PCRE library) allows attackers to read beyond allocated memory buffers when processing certain regular expressions with specific quantifiers while UTF mode is disabled. This affects any software using vulnerable versions of PCRE for regular expression processing, potentially exposing sensitive data or causing crashes.

💻 Affected Systems

Products:
  • PCRE (Perl Compatible Regular Expressions library)
  • Software using libpcre (Apache, PHP, Python, many Linux utilities)
  • Apple macOS/iOS (via system libraries)
  • Various Linux distributions
Versions: PCRE versions before 8.43
Operating Systems: Linux, macOS, iOS, BSD variants, Any OS using vulnerable PCRE
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability only triggers when UTF mode is disabled AND using \X or \R with multiple fixed quantifiers in regular expressions.

📦 What is this software?

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Pcre by Pcre

View all CVEs affecting Pcre →

Universal Forwarder by Splunk

View all CVEs affecting Universal Forwarder →

Universal Forwarder by Splunk

View all CVEs affecting Universal Forwarder →

Universal Forwarder by Splunk

View all CVEs affecting Universal Forwarder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure leading to exposure of sensitive memory contents, potentially including credentials, encryption keys, or other application data. Could also cause denial of service through application crashes.

🟠

Likely Case

Application crashes or instability when processing malicious regular expressions, potentially leading to denial of service. Information disclosure is possible but requires specific conditions.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing; crashes may still occur but sensitive data exposure is minimized.

🌐 Internet-Facing: MEDIUM - Many internet-facing applications use PCRE for input validation and processing, but exploitation requires specific conditions (UTF disabled, specific regex patterns).
🏢 Internal Only: LOW - Internal systems typically process less untrusted input, reducing attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting specific regular expressions that trigger the buffer over-read. Public disclosures include technical details that could facilitate exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: PCRE 8.43 and later

Vendor Advisory: https://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup

Restart Required: Yes

Instructions:

1. Update PCRE library to version 8.43 or later. 2. For Linux distributions: Use package manager (apt-get upgrade libpcre3, yum update pcre, etc.). 3. For macOS/iOS: Apply Apple security updates. 4. Recompile any statically linked applications. 5. Restart affected services.

🔧 Temporary Workarounds

Disable JIT compilation

all

Disable PCRE's JIT compilation feature to prevent exploitation through the JIT path

For applications using PCRE: Set PCRE_NO_JIT flag or equivalent in code
For PHP: pcre.jit=0 in php.ini
For Apache: Configure mod_security or similar to disable JIT

Input validation for regex patterns

all

Validate and sanitize regular expression patterns from untrusted sources

Implement pattern whitelisting
Reject patterns containing \X or \R with multiple fixed quantifiers when UTF disabled

🧯 If You Can't Patch

  • Implement strict input validation to reject malicious regular expression patterns
  • Use application firewalls or WAF rules to block patterns containing \X or \R with problematic quantifiers

🔍 How to Verify

Check if Vulnerable:

Check PCRE version: pcretest -C | grep 'PCRE version'. If version is below 8.43, system is vulnerable. Also check if applications are dynamically linked to vulnerable libpcre.

Check Version:

pcretest -C | grep 'PCRE version' or ldd /path/to/binary | grep pcre

Verify Fix Applied:

Verify PCRE version is 8.43 or higher: pcretest -C | grep 'PCRE version'. Test with known vulnerable regex patterns to ensure no crashes or memory issues.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with segmentation faults
  • Memory access violation errors
  • Unusual regular expression processing patterns in logs

Network Indicators:

  • Patterns of requests containing complex regular expressions
  • Repeated attempts with similar payloads

SIEM Query:

source="application.logs" AND ("segmentation fault" OR "memory violation" OR "pcre" OR "regex error")

📊 Metadata

CVE ID: CVE-2019-20838
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-125
Published: June 15, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-20838, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)