Versions mentioned in the description apply to the upstream
Remediation section below for
Debian:9 relevant versions.
The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.
pcre3 to version 2:8.39-3 or higher.