Type Confusion Vulnerability in Hermes by Facebook
CVE-2021-24044

9.8CRITICAL

Key Information:

Vendor: Facebook
Status: Hermes
Vendor: CVE Published:; 15 January 2022

What is CVE-2021-24044?

Hermes, a JavaScript engine developed by Facebook, is vulnerable to a type confusion issue due to improper handling of JavaScript code involving 'await' and 'yield' on non-async and non-generator getter/setter functions. When incorrect JavaScript is passed, this could lead to the invocation of generator functions, resulting in a segmentation fault caused by type confusion errors. Affected versions of Hermes include all versions prior to v0.10.0, highlighting the importance of upgrading to prevent potential security risks.

Affected Version(s)

Hermes < 0.10.0

Hermes 0.10.0

References

https://www.facebook.com/security/advisories/cve-2021-24044

x_refsource_CONFIRM

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 15, 2022
Vulnerability Reserved
Jan 13, 2021