Integer Conversion Error in Hermes Leading to Potential Code Execution in React Native
CVE-2022-40138

9.8CRITICAL

Key Information:

Vendor: Facebook
Status: Hermes
Vendor: CVE Published:; 11 October 2022

What is CVE-2022-40138?

A vulnerability exists in Hermes due to an integer conversion error in its bytecode generation process. This flaw may allow attackers to perform Out-Of-Bounds operations and execute arbitrary code when executing untrusted JavaScript. It is important to note that the majority of React Native applications are not affected, as this exploit requires specific conditions centered around the use of Hermes.

Affected Version(s)

Hermes < unspecified

References

https://github.com/facebook/hermes/commit/6aa825e480d4812...

https://www.facebook.com/security/advisories/CVE-2022-40138

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 11, 2022
Vulnerability Reserved
Sep 6, 2022

Facebook

What is CVE-2022-40138?

Affected Version(s)

References

CVSS V3.1

Timeline