CVE-2023-24832

A null pointer dereference bug in Hermes prior to commit 5cae9f72975cf0e5a62b27fdd8b01f103e198708 could have been used by an attacker to crash an Hermes runtime where the EnableHermesInternal config option was set to true. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.
Configurations

Configuration 1 (hide)

cpe:2.3:a:facebook:hermes:*:*:*:*:*:*:*:*

History

26 May 2023, 23:29

Type Values Removed Values Added
First Time Facebook
Facebook hermes
CPE cpe:2.3:a:facebook:hermes:*:*:*:*:*:*:*:*
CWE CWE-476
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
References (MISC) https://github.com/facebook/hermes/commit/5cae9f72975cf0e5a62b27fdd8b01f103e198708 - (MISC) https://github.com/facebook/hermes/commit/5cae9f72975cf0e5a62b27fdd8b01f103e198708 - Patch
References (MISC) https://www.facebook.com/security/advisories/cve-2023-24832 - (MISC) https://www.facebook.com/security/advisories/cve-2023-24832 - Patch, Vendor Advisory

Information

Published : 2023-05-18 22:15

Updated : 2024-02-28 20:13


NVD link : CVE-2023-24832

Mitre link : CVE-2023-24832

CVE.ORG link : CVE-2023-24832


JSON object : View

Products Affected

facebook

  • hermes
CWE
CWE-476

NULL Pointer Dereference