vulnerability
Red Hat: CVE-2019-9023: CVE-2019-9023 php: Heap-based buffer over-read in mbstring regular expression functions (Multiple Advisories)
Severity | CVSS | Published | Added | Modified |
---|---|---|---|---|
8 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | Feb 22, 2019 | Apr 29, 2020 | Jul 9, 2025 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Feb 22, 2019
Added
Apr 29, 2020
Modified
Jul 9, 2025
Description
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences.
Solution(s)
no-fix-redhat-rpm-packageredhat-upgrade-apcu-panelredhat-upgrade-libzipredhat-upgrade-libzip-debuginforedhat-upgrade-libzip-debugsourceredhat-upgrade-libzip-develredhat-upgrade-libzip-toolsredhat-upgrade-libzip-tools-debuginforedhat-upgrade-phpredhat-upgrade-php-bcmathredhat-upgrade-php-bcmath-debuginforedhat-upgrade-php-cliredhat-upgrade-php-cli-debuginforedhat-upgrade-php-commonredhat-upgrade-php-common-debuginforedhat-upgrade-php-dbaredhat-upgrade-php-dba-debuginforedhat-upgrade-php-dbgredhat-upgrade-php-dbg-debuginforedhat-upgrade-php-debuginforedhat-upgrade-php-debugsourceredhat-upgrade-php-develredhat-upgrade-php-embeddedredhat-upgrade-php-embedded-debuginforedhat-upgrade-php-enchantredhat-upgrade-php-enchant-debuginforedhat-upgrade-php-fpmredhat-upgrade-php-fpm-debuginforedhat-upgrade-php-gdredhat-upgrade-php-gd-debuginforedhat-upgrade-php-gmpredhat-upgrade-php-gmp-debuginforedhat-upgrade-php-intlredhat-upgrade-php-intl-debuginforedhat-upgrade-php-jsonredhat-upgrade-php-json-debuginforedhat-upgrade-php-ldapredhat-upgrade-php-ldap-debuginforedhat-upgrade-php-mbstringredhat-upgrade-php-mbstring-debuginforedhat-upgrade-php-mysqlndredhat-upgrade-php-mysqlnd-debuginforedhat-upgrade-php-odbcredhat-upgrade-php-odbc-debuginforedhat-upgrade-php-opcacheredhat-upgrade-php-opcache-debuginforedhat-upgrade-php-pdoredhat-upgrade-php-pdo-debuginforedhat-upgrade-php-pearredhat-upgrade-php-pecl-apcuredhat-upgrade-php-pecl-apcu-debuginforedhat-upgrade-php-pecl-apcu-debugsourceredhat-upgrade-php-pecl-apcu-develredhat-upgrade-php-pecl-zipredhat-upgrade-php-pecl-zip-debuginforedhat-upgrade-php-pecl-zip-debugsourceredhat-upgrade-php-pgsqlredhat-upgrade-php-pgsql-debuginforedhat-upgrade-php-processredhat-upgrade-php-process-debuginforedhat-upgrade-php-recoderedhat-upgrade-php-recode-debuginforedhat-upgrade-php-snmpredhat-upgrade-php-snmp-debuginforedhat-upgrade-php-soapredhat-upgrade-php-soap-debuginforedhat-upgrade-php-xmlredhat-upgrade-php-xml-debuginforedhat-upgrade-php-xmlrpcredhat-upgrade-php-xmlrpc-debuginfo
References

NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.