CVE Vulnerabilities

CVE-2019-9192

Uncontrolled Recursion

Published: Feb 26, 2019 | Modified: May 17, 2024
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:N/I:N/A:P
RedHat/V2
RedHat/V3
2.8 N/A
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
Ubuntu
NEGLIGIBLE

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by (|)(11)* in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern

Weakness 

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Affected Software 

Name Vendor Start Version End Version
Glibc Gnu * 2.29 (including)
Eglibc Ubuntu trusty *
Glibc Ubuntu cosmic *
Glibc Ubuntu disco *

Potential Mitigations 

References