Kkos

**Name of the Vulnerable Software and Affected Versions** Oniguruma version 6.9.2 **Description** A NULL Pointer Dereference issue in the `match at()` function in `regexec.c` allows attackers to potentially cause denial of service by providing a crafted regular expression. This issue may affect software that uses Oniguruma, such as Ruby, and optional libraries for PHP and Rust. **Recommendations** For Oniguruma version 6.9.2, consider avoiding the use of crafted regular expressions until a patch is available. As a temporary workaround, restrict the input to the `match at()` function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oniguruma version 6.9.2 **Description** A use-after-free issue in the `onig new deluxe()` function in regext.c allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by `onig new deluxe()`. This issue may affect Ruby, as well as common optional libraries for PHP and Rust. **Recommendations** For Oniguruma version 6.9.2, consider updating to a newer version to mitigate the risk, however, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting the use of the `onig new deluxe()` function until a patch is available. Avoid using multi-byte encoding in regex patterns and strings handled by `onig new deluxe()` until the issue is resolved.