CVE-2022-36039

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-36039

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-36039.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-36039

Aliases

GHSA-pr85-hv85-45pg

Published

2022-09-06T19:05:11Z

Modified

2025-11-19T02:35:24.849673Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Out-of-bounds write when parsing DEX files in Rizin

Details

Rizin is a UNIX-like reverse engineering framework and command-line toolset. Versions 0.4.0 and prior are vulnerable to out-of-bounds write when parsing DEX files. A user opening a malicious DEX file could be affected by this vulnerability, allowing an attacker to execute code on the user's machine. A patch is available on the dev branch of the repository.

Database specific

{
    "cwe_ids": [
        "CWE-787"
    ]
}

References

Affected packages

Git / github.com/rizinorg/rizin

Affected ranges

Type: GIT
Repo: https://github.com/rizinorg/rizin
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

1524f85211445e41506f98180f8f69f7bf115406

Database specific

vanir_signatures

[
    {
        "id": "CVE-2022-36039-5c320907",
        "source": "https://github.com/rizinorg/rizin/commit/1524f85211445e41506f98180f8f69f7bf115406",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "dex_string_new",
            "file": "librz/bin/format/dex/dex.c"
        },
        "digest": {
            "length": 497.0,
            "function_hash": "99659508789119511756972434897892013393"
        },
        "signature_type": "Function"
    },
    {
        "id": "CVE-2022-36039-79e5db07",
        "source": "https://github.com/rizinorg/rizin/commit/1524f85211445e41506f98180f8f69f7bf115406",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "dex_resolve_library",
            "file": "librz/bin/format/dex/dex.c"
        },
        "digest": {
            "length": 228.0,
            "function_hash": "246134841913325793694536286964572473148"
        },
        "signature_type": "Function"
    },
    {
        "id": "CVE-2022-36039-7c816ff7",
        "source": "https://github.com/rizinorg/rizin/commit/1524f85211445e41506f98180f8f69f7bf115406",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "librz/bin/format/dex/dex.c"
        },
        "digest": {
            "line_hashes": [
                "147331672902150971843320243806726784506",
                "308688466546587932645436158427065917087",
                "300896989284992624504410885153031108546",
                "30119435488645988879246204426675988478",
                "224939067413844063894292658007896335315",
                "225047465475472695443452581793435853290",
                "70408551435819562689064818759372719301",
                "87033387331837249771636213592192394059"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line"
    }
]