CVE-2022-36039

2022-09-0619:15:08

CWE-787

[email protected]

web.nvd.nist.gov

rizin

cve-2022-36039

vulnerability

out-of-bounds write

dex files

security patch

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

38.1%

JSON

Rizin is a UNIX-like reverse engineering framework and command-line toolset. Versions 0.4.0 and prior are vulnerable to out-of-bounds write when parsing DEX files. A user opening a malicious DEX file could be affected by this vulnerability, allowing an attacker to execute code on the user’s machine. A patch is available on the dev branch of the repository.

Affected configurations

Vulners

NVD

Node

rizinorgrizinRange≤0.4.0

CPENameOperatorVersion
rizin:rizinrizinle0.4.0

CPE	Name	Operator	Version
rizin:rizin	rizin	le	0.4.0

CNA Affected

[
  {
    "product": "rizin",
    "vendor": "rizinorg",
    "versions": [
      {
        "status": "affected",
        "version": "<= 0.4.0"
      }
    ]
  }
]