CVE-2025-58050: 
NixOS vulnerability analysis and mitigation

The PCRE2 library (version 10.45) contains a heap-buffer-overflow read vulnerability (CVE-2025-58050) in its regular expression matching engine, specifically within the handling of the (scs:...) (Scan SubString) verb when combined with (ACCEPT) in src/pcre2_match.c. The vulnerability was discovered and disclosed on August 27, 2025, affecting the PCRE2 regular expression pattern matching library (NVD, GitHub Advisory).

The vulnerability occurs when a pattern inside the (scs:...) block succeeds via an immediate (ACCEPT). While the engine correctly restores the current subject pointer to its position before the SCS assertion, it fails to restore the original mb->endsubject and mb->trueend_subject values. These pointers remain incorrectly pointing to the end of the scanned substring. The issue manifests when subsequent operations, such as backreferences, are attempted, potentially leading to a heap-buffer-overflow read condition. The vulnerability has been assigned a CVSS v4.0 base score of 6.9 (Medium) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:L (GitHub Advisory).

The vulnerability may potentially lead to information disclosure if the out-of-bounds data read during the memcmp affects the final match result in a way observable by the attacker. This could have implications of denial-of-service or information disclosure, and could potentially be used to escalate other vulnerabilities in a system (GitHub Release).

The vulnerability has been fixed in PCRE2 version 10.46. This security-only release includes a minimal code change to prevent the read-past-the-end memory error. Users are advised to upgrade to version 10.46 or later to address this security issue (GitHub Release).