CVE-2025-58050
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-27

Last updated on: 2025-09-09

Assigner: GitHub, Inc.

Description
The PCRE2 library is a set of C functions that implement regular expression pattern matching. In version 10.45, a heap-buffer-overflow read vulnerability exists in the PCRE2 regular expression matching engine, specifically within the handling of the (*scs:...) (Scan SubString) verb when combined with (*ACCEPT) in src/pcre2_match.c. This vulnerability may potentially lead to information disclosure if the out-of-bounds data read during the memcmp affects the final match result in a way observable by the attacker. This issue has been resolved in version 10.46.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-27
Last Modified
2025-09-09
Generated
2026-06-16
AI Q&A
2025-08-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-58050
EUVD
EUVD-2025-25947
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pcre pcre2 10.45
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-58050 is a heap-buffer-overflow read vulnerability in the PCRE2 library version 10.45. It occurs in the regular expression engine when using the (*scs:...) (Scan SubString) verb combined with (*ACCEPT). The issue arises because after an ACCEPT operation inside a scan substring block, certain internal buffer pointers (mb->end_subject and mb->true_end_subject) are not properly restored to their original values. This causes subsequent operations, like backreference matching, to perform out-of-bounds memory reads, potentially leaking information. The vulnerability can be triggered only by attacker-controlled regex patterns, not by crafted input text, and was fixed in version 10.46 by restoring these buffer pointers correctly. [1, 3]

Impact Analysis

This vulnerability can lead to information disclosure by allowing an attacker to read memory beyond the intended buffer boundaries during regex matching. Although the impact on confidentiality is low and it does not affect integrity, it may enable escalation of other system vulnerabilities by leaking sensitive information. It can also cause denial-of-service conditions. The vulnerability can be exploited remotely without any privileges or user interaction, making it a moderate security risk. [1, 3]

Detection Guidance

This vulnerability can be detected by testing the PCRE2 library version in use and by attempting to reproduce the issue using the pcre2test binary with AddressSanitizer. Specifically, running the test regex pattern /(a)(b+)(*scs:(1)a(*ACCEPT))(\2)/ against the input string "abbb" with AddressSanitizer enabled can reveal the heap-buffer-overflow read. Checking the PCRE2 version to ensure it is 10.46 or later also helps detect if the vulnerable version 10.45 or earlier is present. [3]

Mitigation Strategies

The immediate mitigation step is to upgrade the PCRE2 library to version 10.46 or later, which contains the security fix for this vulnerability. The fix involves a minimal code change that correctly restores internal buffer state variables after an ACCEPT opcode within a scan substring block, preventing the heap-buffer-overflow read. Avoid using vulnerable versions (10.45 and earlier) until the update is applied. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58050. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart