CVE-2021-24044
First published: Sat Jan 15 2022(Updated: )
By passing invalid javascript code where await and yield were called upon non-async and non-generator getter/setter functions, Hermes would invoke generator functions and error out on invalid await/yield positions. This could result in segmentation fault as a consequence of type confusion error, with a low chance of RCE. This issue affects Hermes versions prior to v0.10.0.
Credit: cve-assign@fb.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Facebook Hermes | <0.10.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this Hermes vulnerability?
The vulnerability ID for this Hermes vulnerability is CVE-2021-24044.
How severe is CVE-2021-24044?
CVE-2021-24044 has a severity rating of 9.8 (Critical).
What software is affected by CVE-2021-24044?
The affected software is Facebook Hermes versions up to and excluding 0.10.0.
What is the CWE ID for this vulnerability?
The CWE ID for this vulnerability is CWE-843.
How can I fix CVE-2021-24044?
To fix CVE-2021-24044, update your Facebook Hermes installation to version 0.10.0 or newer.
- collector/nvd-index
- vendor/facebook
- canonical/facebook hermes