CVE-2023-28081: Use After Free
First published: Thu May 18 2023(Updated: )
A bytecode optimization bug in Hermes prior to commit e6ed9c1a4b02dc219de1648f44cd808a56171b81 could be used to cause an use-after-free and obtain arbitrary code execution via a carefully crafted payload. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.
Credit: cve-assign@fb.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Facebook Hermes |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this Hermes bug?
The vulnerability ID for this Hermes bug is CVE-2023-28081.
What is the severity of CVE-2023-28081?
The severity of CVE-2023-28081 is critical with a severity value of 9.8.
How can this vulnerability be exploited?
This vulnerability can be exploited by using a carefully crafted payload to cause a use-after-free and obtain arbitrary code execution.
Which version of Hermes is affected by this vulnerability?
The vulnerability affects Hermes prior to commit e6ed9c1a4b02dc219de1648f44cd808a56171b81.
How can I fix this vulnerability in Hermes?
To fix this vulnerability, update Hermes to commit e6ed9c1a4b02dc219de1648f44cd808a56171b81 or later.
- collector/nvd-index
- vendor/facebook
- canonical/facebook hermes