{"id":"CVE-2017-9224","details":"An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in match_at() during regular expression searching. A logical error involving order of validation and access in match_at() could result in an out-of-bounds read from a stack buffer.","modified":"2026-04-16T06:19:58.013003662Z","published":"2017-05-24T15:29:00.183Z","related":["SUSE-SU-2017:1585-1","SUSE-SU-2017:1662-1","SUSE-SU-2017:1717-1"],"references":[{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:1296"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/101244"},{"type":"REPORT","url":"https://github.com/kkos/oniguruma/issues/57"},{"type":"FIX","url":"https://github.com/kkos/oniguruma/commit/690313a061f7a4fa614ec5cc8368b4f2284e059b"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/kkos/oniguruma","events":[{"introduced":"0"},{"last_affected":"c4ce370f5754b34321c7f87cdc6f198864221eca"},{"fixed":"690313a061f7a4fa614ec5cc8368b4f2284e059b"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"6.2.0"}]}},{"type":"GIT","repo":"https://github.com/php/php-src","events":[{"introduced":"0"},{"fixed":"de96a08a90e480f1afb655bcfeac8ac28a14228e"},{"introduced":"60fffd296abce5fc071f3c173c25a2696cf683c6"},{"fixed":"8a79ce6c8b9d309573993ce332f3951ea1947e2f"},{"introduced":"0221e9f827632942225586687a33cfd554860d5e"},{"fixed":"73915a2bd61f21fd809b4d50af9aba950f43e807"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"5.6.31"},{"introduced":"7.0.0"},{"fixed":"7.0.21"},{"introduced":"7.1.0"},{"fixed":"7.1.7"}]}}],"versions":["POST_64BIT_BRANCH_MERGE","POST_AST_MERGE","POST_PHP7_NSAPI_REMOVAL","POST_PHP7_REMOVALS","POST_PHPNG_MERGE","PRE_64BIT_BRANCH_MERGE","PRE_AST_MERGE","PRE_PHP7_EREG_MYSQL_REMOVALS","PRE_PHP7_NSAPI_REMOVAL","PRE_PHP7_REMOVALS","php-7.0.21RC1","php-7.1.7RC1","v5.9.6","v6.0.0","v6.1.0","v6.1.1","v6.1.2","v6.1.3","v6.2.0"],"database_specific":{"vanir_signatures_modified":"2026-04-11T04:59:35Z","vanir_signatures":[{"deprecated":false,"signature_version":"v1","id":"CVE-2017-9224-343f4c1a","target":{"file":"ext/pcre/pcrelib/pcre_jit_compile.c","function":"compile_bracket_matchingpath"},"signature_type":"Function","digest":{"function_hash":"233037532068098537505988791132617368492","length":13872},"source":"https://github.com/php/php-src/commit/73915a2bd61f21fd809b4d50af9aba950f43e807"},{"deprecated":false,"signature_version":"v1","id":"CVE-2017-9224-4e7c3a81","target":{"file":"src/regexec.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["218275574838915329428894979863676023579","110376745905432703800914764257437607206","320066072742789064155736675079030765698","136023353432955758296444224254897665712","283348006629708797105129985095973840520","263955851575144037512564373773188411580","101836692004798677941713213678481189101","93792859032957038648003350962208405452","276724385951229306965048612161485230063","77619366922882625014828695891397227529","95649270530021035589215734886776241323"]},"source":"https://github.com/kkos/oniguruma/commit/690313a061f7a4fa614ec5cc8368b4f2284e059b"},{"deprecated":false,"signature_version":"v1","id":"CVE-2017-9224-cfd9dfdb","target":{"file":"ext/pcre/pcrelib/pcre_jit_compile.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["41612049881914751775057704412356952022","206133687184829194312361432760839012982","60469889591596012334583203454317370370","317056786488417399517652373716894105276"]},"source":"https://github.com/php/php-src/commit/73915a2bd61f21fd809b4d50af9aba950f43e807"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-9224.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}