Is CVE-2019-13224 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 4%.

What products does CVE-2019-13224 affect?

Tracked products affected include PHP, Fedora. Check the version you run to see whether it is affected.

How do I fix CVE-2019-13224?

Apply the vendor fix promptly. An official patch or advisory is available. Upgrade affected products to a fixed version.

← All products

CVE-2019-13224

Q: What is CVE-2019-13224?

CVE-2019-13224 is a critical-severity software vulnerability (Use-after-free) with a CVSS score of 9.8. A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provide

CRITICAL severity · CVSS 9.8 · Use-after-free

9.8CVSS CRITICAL

Summary

A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)4%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products we track (2)

PHP Fedora

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Official patch: https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55 ↗

CVE-2019-13224

Summary

Impact & exploitability

Affected products we track (2)

Recommendation

Additional information