After a bit of research I found out that the commit that fixes CVE-2022-1587 (https://github.com/PCRE2Project/pcre2/commit/03654e751e7f0700693526b67dfcadda6b42c9d0) is not directly applicable to .39, it needs a compiler update (https://github.com/PCRE2Project/pcre2/commit/dea56d2df94546c23021a42d9395f2333589f01e), this is a very substantial update. Looking at Fedora and Debian they updated the .40 too.<br /><br />Hope it helps,<br /><br />Davide