CVE-2025-58050 is a medium-severity vulnerability identified in the PCRE2 (Perl Compatible Regular Expressions) library version 10.45. PCRE2 is widely used for regular expression pattern matching in numerous software applications and systems. The vulnerability is a heap-buffer-overflow read issue occurring specifically in the handling of the (*scs:...) (Scan SubString) verb when combined with the (*ACCEPT) verb within the pcre2_match.c source file. This flaw allows an out-of-bounds read during a memcmp operation, potentially causing the application to read memory beyond the allocated buffer. Although this is a read overflow rather than a write, it can lead to information disclosure if the out-of-bounds data influences the final match result in a way observable by an attacker. The vulnerability does not require any privileges or user interaction and can be triggered remotely if an attacker can supply crafted regular expressions or input strings to an application using the vulnerable PCRE2 version. The issue has been addressed and resolved in PCRE2 version 10.46. No known exploits are currently reported in the wild, but the vulnerability's characteristics suggest it could be leveraged for information leakage attacks in affected environments.

For European organizations, the impact of CVE-2025-58050 primarily concerns confidentiality due to the potential for information disclosure via out-of-bounds memory reads. Organizations that rely on software components or services embedding PCRE2 version 10.45—such as web servers, security tools, data processing applications, or network appliances—may be at risk if these components process untrusted input containing crafted regular expressions. The vulnerability could be exploited to leak sensitive data from memory, which might include cryptographic keys, credentials, or other confidential information, depending on the context of the application. While the vulnerability does not directly affect integrity or availability, the confidentiality breach could lead to further attacks or compliance violations under European data protection regulations such as GDPR. The lack of requirement for authentication or user interaction increases the risk, especially for internet-facing services. However, the absence of known exploits and the medium CVSS score suggest that immediate widespread impact is limited but should not be underestimated.

European organizations should take the following specific mitigation steps: 1) Identify all software and services using PCRE2 version 10.45 by auditing software inventories, including indirect dependencies in container images and third-party libraries. 2) Prioritize upgrading to PCRE2 version 10.46 or later, which contains the fix for this vulnerability. 3) For software where immediate upgrade is not feasible, implement input validation and sanitization to restrict or block the use of complex regular expressions containing the (*scs:...) and (*ACCEPT) verbs, especially from untrusted sources. 4) Employ runtime application self-protection (RASP) or web application firewalls (WAFs) with custom rules to detect and block suspicious regular expression patterns that could trigger the vulnerability. 5) Monitor logs and network traffic for anomalous patterns indicative of exploitation attempts. 6) Coordinate with software vendors to ensure timely patching and receive security advisories. 7) Incorporate this vulnerability into incident response plans to quickly address any exploitation attempts.