PT-2022-23139 · Rizin · Rizin

Kobrineli

Published

2022-09-06

Updated

2023-03-30

CVE-2022-36044

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Rizin versions 0.4.0 and prior

Description Rizin is a UNIX-like reverse engineering framework and command-line toolset. The issue arises from an out-of-bounds write when getting data from Luac files. A user opening a malicious Luac file could be affected, allowing an attacker to execute code on the user's machine.

Recommendations For Rizin versions 0.4.0 and prior, update to a version that includes the fixes from commits 07b43bc8aa1ffebd9b68d60624c9610cf7e460c7 and 05bbd147caccc60162d6fba9baaaf24befa281cd to resolve the issue. As a temporary workaround, consider avoiding the use of Rizin to open Luac files from untrusted sources until the update is applied.

Exploit

Fix

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-787

Related Identifiers

CVE-2022-36044

GHSA-MQCJ-82C6-GH5Q

Affected Products

Rizin

PT-2022-23139 · Rizin · Rizin

CVE-2022-36044

Weakness Enumeration

Related Identifiers

Affected Products

References · 10