An out-of-bounds read vulnerability was found in the way Oniguruma handled regular expressions with GB18030 character encoding. A UChar pointer is dereferenced without checking if it passed the end of the matched string, leading to a heap-based buffer over-read. A remote attacker could abuse this flaw by providing a malformed regular expression that, when processed by an application linked to Oniguruma, might crash the application causing a denial of service.