{"id":"CVE-2019-19246","details":"Oniguruma through 6.9.3, as used in PHP 7.3.x and other products, has a heap-based buffer over-read in str_lower_case_match in regexec.c.","modified":"2026-04-16T04:33:51.491580155Z","published":"2019-11-25T17:15:11.887Z","related":["ALSA-2020:3662","SUSE-SU-2022:3327-1","openSUSE-SU-2024:11111-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NO267PLHGYZSWX3XTRPKYBKD4J3YOU5V/"},{"type":"ADVISORY","url":"https://bugs.php.net/bug.php?id=78559"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/12/msg00002.html"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4460-1/"},{"type":"FIX","url":"https://github.com/kkos/oniguruma/commit/d3e402928b6eb3327f8f7d59a9edfa622fec557b"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/kkos/oniguruma","events":[{"introduced":"0"},{"last_affected":"813592905c2d55ff7f70fc92bf775c859d6ed48e"},{"fixed":"d3e402928b6eb3327f8f7d59a9edfa622fec557b"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"6.9.3"}]}},{"type":"GIT","repo":"https://github.com/php/php-src","events":[{"introduced":"52ace952a1b65ca80fc2617f11c2fa6dd03f51bd"},{"fixed":"7d61aa2b2132a07e79c5926f38bd621187e8672c"},{"introduced":"0"},{"last_affected":"5dc92c2117cafc61daaaaa240fd46c3ac33872a4"}],"database_specific":{"versions":[{"introduced":"7.3.0"},{"fixed":"7.3.10"},{"introduced":"0"},{"last_affected":"8.0"}]}}],"versions":["POST_64BIT_BRANCH_MERGE","POST_AST_MERGE","POST_PHP7_NSAPI_REMOVAL","POST_PHP7_REMOVALS","POST_PHPNG_MERGE","PRE_64BIT_BRANCH_MERGE","PRE_AST_MERGE","PRE_PHP7_EREG_MYSQL_REMOVALS","PRE_PHP7_NSAPI_REMOVAL","PRE_PHP7_REMOVALS","php-7.3.10RC1","php-8.0.0","v5.9.6","v6.0.0","v6.1.0","v6.1.1","v6.1.2","v6.1.3","v6.2.0","v6.3.0","v6.4.0","v6.5.0","v6.6.0","v6.6.1","v6.7.0","v6.7.1","v6.8.0","v6.8.1","v6.8.2","v6.9.0","v6.9.1","v6.9.2","v6.9.2_rc1","v6.9.2_rc2","v6.9.2_rc3","v6.9.3"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","digest":{"line_hashes":["62515007490554007865331787131035268207","73060259964332736538643090030886107933","240203263475203359359784711152491354249","158627744619430761962932360405786758087"],"threshold":0.9},"id":"CVE-2019-19246-ee72ec58","deprecated":false,"target":{"file":"src/regexec.c"},"source":"https://github.com/kkos/oniguruma/commit/d3e402928b6eb3327f8f7d59a9edfa622fec557b","signature_type":"Line"},{"signature_version":"v1","digest":{"function_hash":"301772738909245608982934055287646460906","length":390},"source":"https://github.com/kkos/oniguruma/commit/d3e402928b6eb3327f8f7d59a9edfa622fec557b","deprecated":false,"target":{"function":"str_lower_case_match","file":"src/regexec.c"},"id":"CVE-2019-19246-f787398e","signature_type":"Function"}],"vanir_signatures_modified":"2026-04-11T09:39:45Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"31"}]},{"events":[{"introduced":"0"},{"last_affected":"14.04"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-19246.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}