Copied from RedHat's BZ:
unmatched \Q\E sequences with orphan \E codes can cause the compiled
regex to become desynchronized, resulting in corrupt bytecode that may
result in multiple exploitable conditions. This was inadvertently
fixed by the pcre maintainer in version 7.0, however another case of a
lone \E inside a character class remained, this has been fixed in 7.3
multiple forms of character class had their sizes miscalculated on
initial passes, resulting in too little memory being allocated, this
was also inadvertently fixed in version 7.0, where the compile phase
was entirely re-engineered (and much improved, from a security
According to the comments, 7.3 is unaffected. Stabling takes place in bug #195416 since 2007-10-10. The only missing keywords right now are "arm m68k mips s390 sh".
What's left to do is a GLSA and an audit of other packages that ship code copies, I'm after that.
CVE names are public, GLSA request filed.