CVE-2022-1587: 
NixOS vulnerability analysis and mitigation

An out-of-bounds read vulnerability (CVE-2022-1587) was discovered in the PCRE2 library, specifically in the getrecursedatalength() function of the pcre2jit_compile.c file. The vulnerability was disclosed in May 2022 and affects recursions in JIT-compiled regular expressions caused by duplicate data transfers. The issue impacts the PCRE2 library and various systems and applications that incorporate it (NVD, MITRE).

The vulnerability exists in the PCRE2 library's JIT compilation process, specifically within the getrecursedatalength() function of pcre2jit_compile.c. The issue manifests when handling recursions in JIT-compiled regular expressions, where duplicate data transfers can trigger an out-of-bounds read condition. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (Critical) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H (NetApp Advisory).

When successfully exploited, this vulnerability can lead to information disclosure or denial of service (DoS). The high severity rating indicates significant potential impact on system security, particularly concerning the confidentiality and availability of affected systems (NetApp Advisory).

The vulnerability was fixed in PCRE2 version 10.40. Various distributions and vendors have released patches to address this issue. For example, Debian released security updates (DLA-3363-1) to fix the vulnerability, and Fedora provided updates for both version 35 and 36 of their pcre2 packages (Debian LTS, Fedora Update).