CVE-2017-9227

Name of the Vulnerable Software and Affected Versions Oniguruma version 6.2.0 Oniguruma-mod in Ruby versions prior to 2.4.1 mbstring in PHP versions prior to 7.1.5

Description The issue is related to an out-of-bounds read in the mbc enc len() function during regular expression searching. This occurs due to invalid handling of reg->dmin in the forward search range() function, which could result in an invalid pointer dereference. The vulnerability allows a remote attacker to perform an out-of-bounds read from a stack buffer in dynamic memory.

Recommendations For Oniguruma version 6.2.0, update to a newer version to mitigate the risk. For Oniguruma-mod in Ruby versions prior to 2.4.1, update Ruby to version 2.4.1 or later. For mbstring in PHP versions prior to 7.1.5, update PHP to version 7.1.5 or later. As a temporary workaround, consider restricting the use of the mbc enc len() function and the forward search range() function until a patch is available.