cvedb.io
CVE-2023-28081
CRITICAL · CVSS 9.8
EPSS exploitation probability: 0%
Published 2023-05-18T22:15:09.807 · Last modified 2026-06-17T05:46:49.243

Summary

A bytecode optimization bug in Hermes prior to commit e6ed9c1a4b02dc219de1648f44cd808a56171b81 could be used to cause an use-after-free and obtain arbitrary code execution via a carefully crafted payload. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected.

Affected products

facebook — hermes

Does this affect you?

Add your gear to cvedb and we'll alert you only when facebook ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.