CVE-2022-36039 Out-of-bounds write when parsing DEX files in Rizin

2022-09-0619:05:11

CWE-787

GitHub_M

www.cve.org

rizin

unix-like

reverse engineering

dex files

vulnerability

malicious

attacker

code execution

patch

repository

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

38.1%

JSON

Rizin is a UNIX-like reverse engineering framework and command-line toolset. Versions 0.4.0 and prior are vulnerable to out-of-bounds write when parsing DEX files. A user opening a malicious DEX file could be affected by this vulnerability, allowing an attacker to execute code on the user’s machine. A patch is available on the dev branch of the repository.

CNA Affected

[
  {
    "product": "rizin",
    "vendor": "rizinorg",
    "versions": [
      {
        "status": "affected",
        "version": "<= 0.4.0"
      }
    ]
  }
]