{"id":"CVE-2022-36039","summary":"Out-of-bounds write when parsing DEX files in Rizin","details":"Rizin is a UNIX-like reverse engineering framework and command-line toolset. Versions 0.4.0 and prior are vulnerable to out-of-bounds write when parsing DEX files. A user opening a malicious DEX file could be affected by this vulnerability, allowing an attacker to execute code on the user's machine. A patch is available on the `dev` branch of the repository.","aliases":["GHSA-pr85-hv85-45pg"],"modified":"2026-04-11T23:41:59.310578Z","published":"2022-09-06T19:05:11Z","database_specific":{"cwe_ids":["CWE-787"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/36xxx/CVE-2022-36039.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/36xxx/CVE-2022-36039.json"},{"type":"ADVISORY","url":"https://github.com/rizinorg/rizin/security/advisories/GHSA-pr85-hv85-45pg"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36039"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202209-06"},{"type":"REPORT","url":"https://github.com/rizinorg/rizin/issues/2969"},{"type":"FIX","url":"https://github.com/rizinorg/rizin/commit/1524f85211445e41506f98180f8f69f7bf115406"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rizinorg/rizin","events":[{"introduced":"0"},{"fixed":"1524f85211445e41506f98180f8f69f7bf115406"}]}],"database_specific":{"vanir_signatures":[{"source":"https://github.com/rizinorg/rizin/commit/1524f85211445e41506f98180f8f69f7bf115406","target":{"file":"librz/bin/format/dex/dex.c","function":"dex_string_new"},"signature_version":"v1","signature_type":"Function","id":"CVE-2022-36039-5c320907","deprecated":false,"digest":{"function_hash":"99659508789119511756972434897892013393","length":497}},{"source":"https://github.com/rizinorg/rizin/commit/1524f85211445e41506f98180f8f69f7bf115406","target":{"file":"librz/bin/format/dex/dex.c","function":"dex_resolve_library"},"signature_version":"v1","signature_type":"Function","id":"CVE-2022-36039-79e5db07","deprecated":false,"digest":{"function_hash":"246134841913325793694536286964572473148","length":228}},{"source":"https://github.com/rizinorg/rizin/commit/1524f85211445e41506f98180f8f69f7bf115406","target":{"file":"librz/bin/format/dex/dex.c"},"signature_version":"v1","signature_type":"Line","id":"CVE-2022-36039-7c816ff7","deprecated":false,"digest":{"line_hashes":["147331672902150971843320243806726784506","308688466546587932645436158427065917087","300896989284992624504410885153031108546","30119435488645988879246204426675988478","224939067413844063894292658007896335315","225047465475472695443452581793435853290","70408551435819562689064818759372719301","87033387331837249771636213592192394059"],"threshold":0.9}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-36039.json","vanir_signatures_modified":"2026-04-11T23:41:59Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}