CVE-2022-40138

CRITICAL

Facebook Hermes < 2022-09-27 - Out-of-Bounds Access

Title source: rule

Description

An integer conversion error in Hermes bytecode generation, prior to commit 6aa825e480d48127b480b08d13adf70033237097, could have been used to perform Out-Of-Bounds operations and subsequently execute arbitrary code. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.

References (2)

[Patch, Third Party Advisory] https://github.com/facebook/hermes/commit/6aa825e480d48127b480b08d13adf70033237097

View Patch ZIP pw:eip

[Vendor Advisory] https://www.facebook.com/security/advisories/CVE-2022-40138

Scores

CVSS v3 9.8

EPSS 0.0122

EPSS Percentile 79.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-681

Status published

Products (1)

facebook/hermes < 2022-09-27

Published Oct 11, 2022

Tracked Since Feb 18, 2026