CVE-2025-58050

Public Exploit
PCRE2: heap-buffer-overflow read in match_ref due to missing boundary restoration in SCS

Description

The PCRE2 library is a set of C functions that implement regular expression pattern matching. In version 10.45, a heap-buffer-overflow read vulnerability exists in the PCRE2 regular expression matching engine, specifically within the handling of the (*scs:...) (Scan SubString) verb when combined with (*ACCEPT) in src/pcre2_match.c. This vulnerability may potentially lead to information disclosure if the out-of-bounds data read during the memcmp affects the final match result in a way observable by the attacker. This issue has been resolved in version 10.46.

Category

6.9
CVSS
Severity: Medium
CVSS 4.0 •
EPSS 0.04%
Affected: PCRE2Project pcre2
Published at:
Updated at:

References

Link Tags
https://github.com/PCRE2Project/pcre2/security/advisories/GHSA-c2gv-xgf5-5cc2
https://github.com/PCRE2Project/pcre2/commit/a141712e5967d448c7ce13090ab530c8e3d82254
https://github.com/PCRE2Project/pcre2/releases/tag/pcre2-10.46

Frequently Asked Questions

What is the severity of CVE-2025-58050?
CVE-2025-58050 has been scored as a medium severity vulnerability.
How to fix CVE-2025-58050?
To fix CVE-2025-58050, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-58050 being actively exploited in the wild?
It is possible that CVE-2025-58050 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-58050?
CVE-2025-58050 affects PCRE2Project pcre2.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.