{"id":"CVE-2022-36044","summary":"Rizin Out-of-bounds Write vulnerability in Lua binary plugin","details":"Rizin is a UNIX-like reverse engineering framework and command-line toolset. Versions 0.4.0 and prior are vulnerable to an out-of-bounds write when getting data from Luac files. A user opening a malicious Luac file could be affected by this vulnerability, allowing an attacker to execute code on the user's machine. Commits 07b43bc8aa1ffebd9b68d60624c9610cf7e460c7 and 05bbd147caccc60162d6fba9baaaf24befa281cd contain fixes for the issue.","aliases":["GHSA-mqcj-82c6-gh5q"],"modified":"2026-04-11T23:41:59.584965Z","published":"2022-09-06T00:00:00Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/36xxx/CVE-2022-36044.json","cwe_ids":["CWE-787"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/36xxx/CVE-2022-36044.json"},{"type":"ADVISORY","url":"https://github.com/rizinorg/rizin/security/advisories/GHSA-mqcj-82c6-gh5q"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQZLMHEI5D7EJASA5UW6XN4ODHLRHK6N/"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36044"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202209-06"},{"type":"FIX","url":"https://github.com/rizinorg/rizin/commit/05bbd147caccc60162d6fba9baaaf24befa281cd"},{"type":"FIX","url":"https://github.com/rizinorg/rizin/commit/07b43bc8aa1ffebd9b68d60624c9610cf7e460c7"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rizinorg/rizin","events":[{"introduced":"0"},{"fixed":"07b43bc8aa1ffebd9b68d60624c9610cf7e460c7"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-36044.json","vanir_signatures":[{"id":"CVE-2022-36044-44a613b2","signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["9114179400956166026806490749080465910","141647950716231033960712452470651352338","203371619328472460951370656405742994406","122122810315559685324249356524337327696"],"threshold":0.9},"deprecated":false,"source":"https://github.com/rizinorg/rizin/commit/07b43bc8aa1ffebd9b68d60624c9610cf7e460c7","target":{"file":"librz/bin/bobj.c"}},{"id":"CVE-2022-36044-67f6ae31","signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["115585023725065363652681674793707175144","273439764585809750213454451052162252740","191292091907489063763726256326437448179","138810595769389364588559812963404100011","289620902878724183091272464250448600138","319719830351657164735484270487854214342","180255372665746641547268191931774641874","14715478804584404206664639608337111236"],"threshold":0.9},"deprecated":false,"source":"https://github.com/rizinorg/rizin/commit/07b43bc8aa1ffebd9b68d60624c9610cf7e460c7","target":{"file":"librz/bin/format/luac/luac_bin.c"}},{"id":"CVE-2022-36044-9a90e509","signature_type":"Function","signature_version":"v1","digest":{"length":2726,"function_hash":"305525324468473274269039272146284936516"},"deprecated":false,"source":"https://github.com/rizinorg/rizin/commit/07b43bc8aa1ffebd9b68d60624c9610cf7e460c7","target":{"file":"librz/bin/format/luac/luac_bin.c","function":"_luac_build_info"}},{"id":"CVE-2022-36044-f9e4e8f1","signature_type":"Function","signature_version":"v1","digest":{"length":775,"function_hash":"146566167267951156637636190157137463324"},"deprecated":false,"source":"https://github.com/rizinorg/rizin/commit/07b43bc8aa1ffebd9b68d60624c9610cf7e460c7","target":{"file":"librz/bin/bobj.c","function":"classes_from_symbols"}}],"vanir_signatures_modified":"2026-04-11T23:41:59Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}