CVE-2022-1586: 
NixOS vulnerability analysis and mitigation

CVE-2022-1586 is an out-of-bounds read vulnerability discovered in the PCRE2 library, specifically in the compilexclassmatchingpath() function of the pcre2jitcompile.c file. The vulnerability involves a unicode property matching issue in JIT-compiled regular expressions, where the character was not fully read in case-less matching within JIT. The issue was discovered and disclosed in May 2022 (NVD, CVE).

The vulnerability occurs in the PCRE2 library's JIT compilation process, specifically when handling unicode property matching in case-less mode. The issue stems from incorrect character reading during the compilation of regular expressions in the compilexclassmatchingpath() function. The vulnerability has been assigned a CVSS 3.1 base score of 9.1 (Critical), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H (NetApp Advisory).

When successfully exploited, this vulnerability can lead to information disclosure through out-of-bounds read operations and potential denial of service (DoS) conditions. The high severity rating indicates significant potential impact on system confidentiality and availability (NetApp Advisory).

The vulnerability has been fixed in PCRE2 version 10.40. Multiple vendors have released patches and updates to address this issue. Red Hat has addressed it in RHSA-2022:5251 and RHSA-2022:5809, Debian has released fixes in version 10.32-5+deb10u1, and Ubuntu has provided updates for various releases including 22.04 LTS (version 10.39-3ubuntu0.1) and 20.04 LTS (version 10.34-7ubuntu0.1) (Debian Security, Ubuntu Security).