cve/2016/CVE-2016-3191.md

### [CVE-2016-3191](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3191)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

The compile_branch function in pcre_compile.c in PCRE 8.x before 8.39 and pcre2_compile.c in PCRE2 before 10.22 mishandles patterns containing an (*ACCEPT) substring in conjunction with nested parentheses, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-3542.

### POC

#### Reference
- http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html

#### Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/Mohzeela/external-secret
- https://github.com/RedHatSatellite/satellite-host-cve
- https://github.com/marklogic/marklogic-docker
- https://github.com/marklogic/marklogic-kubernetes
- https://github.com/siddharthraopotukuchi/trivy
- https://github.com/t31m0/Vulnerability-Scanner-for-Containers
- https://github.com/umahari/security