CVE-2008-0172

The get_repeat_type function in basic_regex_creator.hpp in the Boost regex library (aka Boost.Regex) in Boost 1.33 and 1.34 allows context-dependent attackers to cause a denial of service (NULL dereference and crash) via an invalid regular expression.

Published: 2008-01-17 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2008-0172 is rated Moderate Risk (46.9/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 1.96%). Mandatory action: Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2008-0172

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 2.19% 1.96% -0.24%
2 2026-02-11 1.93% 2.19% +0.26%
3 2025-03-30 1.93%

Full EPSS history (14 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2008-0172

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
5.0 2.0 MEDIUM
AV:N/AC:L/Au:N/C:N/I:N/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:N)
No confidentiality impact.
Integrity impact (I:N)
No integrity impact.
Availability impact (A:P)
Partial availability impact.
10.0 2.9 [email protected]

Weakness enumeration for CVE-2008-0172

OS Trackers for CVE-2008-0172

vendor priority summary link
gentoo normal CVE-2008-0172: 1 GLSA(s) (200802-08), 1 atom(s) (dev-libs/boost); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2008-0172
redhat low https://access.redhat.com/security/cve/CVE-2008-0172
ubuntu low CVE-2008-0172 low priority: Ubuntu including 1 source packages (boost), 5 status rows across 5 suites (dapper, edgy, feisty, gutsy, upstream): released 4, needs-triage 1. https://ubuntu.com/security/CVE-2008-0172

Vendor comments (NVD) for CVE-2008-0172

  • Red Hat (2008-05-12T00:00:00)

    This issue did not affect the version of boost as shipped with Red Hat Enterprise Linux 4. For Red Hat Enterprise Linux 5, Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-0172 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.

Affected software / configurations for CVE-2008-0172

Vendor Product Version Raw CPE
boost boost 1.33 cpe:2.3:a:boost:boost:1.33:*:*:*:*:*:*:*
boost boost 1.34 cpe:2.3:a:boost:boost:1.34:*:*:*:*:*:*:*

References for CVE-2008-0172

URL Tags
http://bugs.gentoo.org/show_bug.cgi?id=205955
http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00004.html
http://secunia.com/advisories/28511
http://secunia.com/advisories/28527
http://secunia.com/advisories/28545
http://secunia.com/advisories/28705
http://secunia.com/advisories/28860
http://secunia.com/advisories/28943
http://secunia.com/advisories/29323
http://secunia.com/advisories/48099
http://svn.boost.org/trac/boost/changeset/42674
http://svn.boost.org/trac/boost/changeset/42745
http://wiki.rpath.com/Advisories:rPSA-2008-0063
http://www.gentoo.org/security/en/glsa/glsa-200802-08.xml
http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:032
http://www.securityfocus.com/archive/1/488102/100/0/threaded
http://www.securityfocus.com/bid/27325
http://www.ubuntu.com/usn/usn-570-1
http://www.vupen.com/english/advisories/2008/0249
https://issues.rpath.com/browse/RPL-2143
https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00760.html
cvelogic Threat Intelligence