In the GNU C Library before 2.28, parse_reg_exp in posix/regcomp.c misparses alternatives, which allows attackers to cause a denial of service or trigger an incorrect result by attempting a regular-expression match.