CVE-2022-36938

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Redex versions prior to commit 3b44c64

Description The issue concerns the DexLoader function get stringidx fromdex() in Redex, which can load an out of bound address when loading the string index table. This could potentially allow remote code execution during the processing of a 3rd party Android APK file.

Recommendations For Redex versions prior to commit 3b44c64, update to a version that includes the fix for the get stringidx fromdex() function to prevent potential remote code execution. As a temporary workaround, consider restricting the processing of 3rd party Android APK files until the issue is resolved.

Fix

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-125CWE-1284

Related Identifiers

CVE-2022-36938

Affected Products

Redex

CVE-2022-36938

Weakness Enumeration

Related Identifiers

Affected Products

References · 4