CVE-2022-40138
First published: Tue Oct 11 2022(Updated: )
An integer conversion error in Hermes bytecode generation, prior to commit 6aa825e480d48127b480b08d13adf70033237097, could have been used to perform Out-Of-Bounds operations and subsequently execute arbitrary code. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.
Credit: cve-assign@fb.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Facebook Hermes | <2022-09-27 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2022-40138?
The severity of CVE-2022-40138 is critical.
How does CVE-2022-40138 affect the affected software?
CVE-2022-40138 affects the Facebook Hermes software prior to version 2022-09-27.
Is CVE-2022-40138 exploitable?
Yes, CVE-2022-40138 is exploitable and can be used to perform Out-Of-Bounds operations and execute arbitrary code.
How can I fix CVE-2022-40138?
To fix CVE-2022-40138, update the affected software to version 2022-09-27 or later.
Where can I find more information about CVE-2022-40138?
More information about CVE-2022-40138 can be found in the references: [GitHub commit](https://github.com/facebook/hermes/commit/6aa825e480d48127b480b08d13adf70033237097) and [Facebook Security Advisories](https://www.facebook.com/security/advisories/CVE-2022-40138).
- agent/author
- agent/description
- agent/last-modified-date
- agent/references
- agent/severity
- agent/type
- agent/weakness
- collector/nvd-index
- vendor/facebook
- canonical/facebook hermes