DescriptionStack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
eglibc (PTS)wheezy2.13-38+deb7u10vulnerable
wheezy (security)2.13-38+deb7u12vulnerable
glibc (PTS)jessie2.19-18+deb8u9vulnerable
jessie (security)2.19-18+deb8u10vulnerable
stretch (security)2.24-11+deb9u1vulnerable
buster, sid2.24-12vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


Deficiency in the regexp engine of glibc, while there implementations which
process such expressions more efficiently, imposing a limit lies within
the application accepting it from user input

Search for package or bug name: Reporting problems