PatchSiren cyber security CVE debrief

CVE-2017-6004 Pcre CVE debrief

CVE-2017-6004 is a denial-of-service issue in PCRE’s JIT compilation path. According to NVD, the flaw can be triggered by a crafted regular expression and may cause an out-of-bounds read followed by an application crash. NVD rates the issue as high severity (CVSS 3.0: 7.5) with network attack vector and no privileges or user interaction required. The record links the fix to an upstream PCRE patch (revision 1680) and lists PCRE versions through 8.38 as vulnerable. Because PCRE is commonly embedded in other products, downstream users should verify whether their packaged or bundled PCRE build includes the fix rather than assuming the product version alone is enough.

Vendor: Pcre
Product: CVE-2017-6004
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-16
Original CVE updated: 2026-05-13
Advisory published: 2017-02-16
Advisory updated: 2026-05-13

Who should care

Security teams and operators who run software with embedded PCRE, especially applications or services that accept user-controlled regular expressions or parse regex-heavy input paths. This includes downstream consumers of bundled PCRE builds, such as the PHP 7.1.1 bundled version mentioned in the description.

Technical summary

NVD describes a flaw in the compile_bracket_matchingpath function in pcre_jit_compile.c. A crafted regular expression can lead to an out-of-bounds read during JIT compilation and crash the application. NVD maps the weakness to CWE-125 and identifies the affected CPE range as PCRE through 8.38, with the upstream fix referenced by the patch between revisions 1676 and 1680.

Defensive priority

High for any internet-facing or multi-tenant service that accepts regex input or depends on bundled PCRE. The issue is a remote, unauthenticated availability impact, so remediation should be prioritized alongside other crash-triggering parser flaws.

Recommended defensive actions

Identify all applications and libraries that embed or dynamically link PCRE, including vendor-bundled copies.
Confirm whether the deployed PCRE build includes the upstream fix referenced by revision 1680 rather than relying only on product version strings.
Upgrade to a PCRE release or downstream package that includes the fix, or apply the vendor patch if available.
Treat externally supplied regular expressions as untrusted input and limit where regex compilation occurs.
After remediation, validate that the affected code path no longer crashes under normal regression testing for regex compilation.

Evidence notes

This debrief is based on the official NVD record for CVE-2017-6004, which states the issue affects pcre_jit_compile.c in PCRE and can cause an out-of-bounds read and application crash from a crafted regular expression. NVD also provides the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, CWE-125 classification, an affected range through PCRE 8.38, and a patch reference to the upstream revision 1676..1680 diff. The CVE published date used here is 2017-02-16.

Official resources

CVE-2017-6004 CVE record
CVE.org
CVE-2017-6004 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Issue Tracking, Third Party Advisory, VDB Entry
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]

Publicly disclosed in the CVE record on 2017-02-16. The source corpus later shows modified metadata on 2026-05-13, which should not be treated as the issue date.