CVE-2022-23901 – CVE-2022-23901 is a critical stack overflow vul... (How to Fix)

📋 TL;DR

CVE-2022-23901 is a critical stack overflow vulnerability in re2c 2.2 caused by infinite recursion in the dead_rules.cc component. This allows remote attackers to execute arbitrary code or cause denial of service by triggering the overflow. Any system using vulnerable versions of re2c for regular expression compilation is affected.

💻 Affected Systems

Products:

re2c

Versions: re2c 2.2

Operating Systems: All platforms running re2c

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where re2c processes untrusted regular expression patterns.

📦 What is this software?

Re2c by Re2c

View all CVEs affecting Re2c →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service through application crashes when processing malicious regular expressions.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing prevent malicious regex patterns.

🌐 Internet-Facing: HIGH - If re2c processes untrusted regex input from external sources.

🏢 Internal Only: MEDIUM - Lower risk if only trusted internal regex patterns are processed.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept demonstrates triggering the infinite recursion. Exploitation requires ability to provide regex input to re2c.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: re2c 2.3

Vendor Advisory: https://github.com/skvadrik/re2c/issues/394

Restart Required: No

Instructions:

1. Download re2c 2.3 or later from https://github.com/skvadrik/re2c/releases
2. Compile and install: ./configure && make && make install
3. Verify installation with: re2c --version

🔧 Temporary Workarounds

Input Validation

all

Implement strict validation of regular expression patterns before passing to re2c.

Resource Limiting

linux

Run re2c with resource limits (stack size restrictions) to prevent complete system compromise.

ulimit -s 8192  # Limit stack to 8MB before running re2c

🧯 If You Can't Patch

Isolate re2c processes in containers with strict resource limits
Implement network segmentation to limit access to systems using re2c

🔍 How to Verify

Check if Vulnerable:

Check re2c version: re2c --version | grep -q '2.2' && echo 'VULNERABLE'

Check Version:

re2c --version

Verify Fix Applied:

Verify version is 2.3 or higher: re2c --version | grep -q '2.[3-9]\|3.' && echo 'PATCHED'

📡 Detection & Monitoring

Log Indicators:

Process crashes of re2c or applications using it
Abnormally high memory/stack usage by re2c processes

Network Indicators:

Unusual network connections from systems running re2c after processing regex input

SIEM Query:

process_name:re2c AND (event_type:crash OR memory_usage > threshold)

📊 Metadata

CVE ID: CVE-2022-23901

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: March 29, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/skvadrik/re2c/issues/394 Exploit,Patch,Third Party Advisory
https://github.com/skvadrik/re2c/issues/394 Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-23901, you might also want to check these: