CRITICAL🇵🇱 Wersja polska

CVE-2022-36938

CVSS 9.8v3.1pub. 2022-11-11upd. 2025-05-01

DexLoader function get_stringidx_fromdex() in Redex prior to commit 3b44c64 can load an out of bound address when loading the string index table, potentially allowing remote code execution during processing of a 3rd party Android APK file.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Facebook Redex

    APP
    Facebook
    < 2022-11-04
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2025-55182CRITICAL10.0⚠ KEVPL ✓ten sam vendor

RCE bez uwierzytelnienia w React Server Components (deserializacja)

CVE-2023-45239CRITICAL9.8ten sam vendor

A lack of input validation exists in tac_plus prior to commit 4fdf178 which, when pre or post auth commands ar...

CVE-2023-28081CRITICAL9.8ten sam vendor

A bytecode optimization bug in Hermes prior to commit e6ed9c1a4b02dc219de1648f44cd808a56171b81 could be used t...

CVE-2023-23557CRITICAL9.8ten sam vendor

An error in Hermes' algorithm for copying objects properties prior to commit a00d237346894c6067a594983be6634f4...

CVE-2023-23556CRITICAL9.8ten sam vendor

An error in BigInt conversion to Number in Hermes prior to commit a6dcafe6ded8e61658b40f5699878cd19a481f80 cou...