CVE-2014-9654

Publication date 5 February 2015

Last updated 25 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

The Regular Expressions package in International Components for Unicode (ICU) for C/C++ before 2014-12-03, as used in Google Chrome before 40.0.2214.91, calculates certain values without ensuring that they can be represented in a 24-bit field, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted string, a related issue to CVE-2014-7923.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
icu	14.10 utopic	Fixed 52.1-6ubuntu0.2
	14.04 LTS trusty	Fixed 52.1-3ubuntu0.2
	12.04 LTS precise	Fixed 4.8.1.1-3ubuntu0.3
	10.04 LTS lucid	Ignored end of life

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
icu	Upstream: http://bugs.icu-project.org/trac/changeset/31233 Upstream: http://bugs.icu-project.org/trac/changeset/36801

Severity score breakdown

Parameter	Value
Base score	9.8 · Critical
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

USN-2522-1
ICU vulnerabilities
5 March 2015