{"id":"CVE-2017-9225","details":"An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds write in onigenc_unicode_get_case_fold_codes_by_str() occurs during regular expression compilation. Code point 0xFFFFFFFF is not properly handled in unicode_unfold_key(). A malformed regular expression could result in 4 bytes being written off the end of a stack buffer of expand_case_fold_string() during the call to onigenc_unicode_get_case_fold_codes_by_str(), a typical stack buffer overflow.","modified":"2026-04-11T04:59:35.571635Z","published":"2017-05-24T15:29:00.230Z","references":[{"type":"FIX","url":"https://github.com/kkos/oniguruma/commit/166a6c3999bf06b4de0ab4ce6b088a468cc4029f"},{"type":"EVIDENCE","url":"https://github.com/kkos/oniguruma/issues/56"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/kkos/oniguruma","events":[{"introduced":"0"},{"last_affected":"c4ce370f5754b34321c7f87cdc6f198864221eca"},{"fixed":"166a6c3999bf06b4de0ab4ce6b088a468cc4029f"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"6.2.0"}]}},{"type":"GIT","repo":"https://github.com/php/php-src","events":[{"introduced":"0"},{"last_affected":"5d08c710749096291e294afd641e4429760c6c6e"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"7.1.5"}]}},{"type":"GIT","repo":"https://github.com/ruby/ruby","events":[{"introduced":"0"},{"last_affected":"820605ba3c10b9f4dafc4e5d6e09765b8b31cbea"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.4.1"}]}}],"versions":["POST_64BIT_BRANCH_MERGE","POST_AST_MERGE","POST_PHP7_NSAPI_REMOVAL","POST_PHP7_REMOVALS","POST_PHPNG_MERGE","PRE_64BIT_BRANCH_MERGE","PRE_AST_MERGE","PRE_PHP7_EREG_MYSQL_REMOVALS","PRE_PHP7_NSAPI_REMOVAL","PRE_PHP7_REMOVALS","php-7.1.5","php-7.1.5RC1","v1_0_r2","v2_4_1","v5.9.6","v6.0.0","v6.1.0","v6.1.1","v6.1.2","v6.1.3","v6.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-9225.json","vanir_signatures":[{"source":"https://github.com/kkos/oniguruma/commit/166a6c3999bf06b4de0ab4ce6b088a468cc4029f","deprecated":false,"target":{"file":"src/unicode_unfold_key.c"},"digest":{"threshold":0.9,"line_hashes":["324108389711674846455372721615815071752","78125804542342940617720207021732851899","288314762901706662148070349691664859187","194786076425880166381460759605312479128"]},"id":"CVE-2017-9225-3fa17e87","signature_type":"Line","signature_version":"v1"},{"source":"https://github.com/kkos/oniguruma/commit/166a6c3999bf06b4de0ab4ce6b088a468cc4029f","deprecated":false,"target":{"function":"unicode_unfold_key","file":"src/unicode_unfold_key.c"},"digest":{"length":37595,"function_hash":"178544139292996599899959759183935258796"},"id":"CVE-2017-9225-5da41359","signature_type":"Function","signature_version":"v1"}],"vanir_signatures_modified":"2026-04-11T04:59:35Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}