If a user has administrative privileges on the system, they can exploit this vulnerability to obtain sensitive information and execute arbitrary code on the victim’s system. An attacker can exploit this vulnerability to conduct phishing attacks and obtain session tokens, user credentials, and other information.

Details of the vulnerability: An attacker can create a crafted regular expression in the pcre2_jit_compile.c file of an application using PCRE2 to trigger the get_recurse_data_length() function to return a value that is higher than the actual length of the data. Due to this flaw, the data that is copied from one location to another is duplicated. This will result in an attacker being able to retrieve sensitive information and execute code on the system as the user who is experiencing the vulnerability.

How to Fix PCRE2 Out-Of-Bounds Read Vulnerability?

The recommended solution for this issue is to update the vulnerable PCRE2 library on your system.
However, if you cannot update the PCRE2 library on your system for some reason, then you can use an application called pcre2 patch to fix this issue.
On Debian-based systems, the pcre2 patch application can be installed using the following command:

Installing PCRE2 Patch on Debian-based Systems

# apt-get install pcre2-patch

# cd /usr/share/pcre2-patches/

As root, install pcre2 patch apt-get install pcre2 patch

Install PCRE2 Patch on Debian-Based Systems

# apt-get install pcre2-dev
Once you have installed the PCRE2 library, you can use the following command to create a patch for any vulnerable application:

Timeline

Published on: 05/16/2022 21:15:00 UTC
Last modified on: 06/02/2022 14:15:00 UTC

References