CVE-2021-24037
Description
A use after free in hermes, while emitting certain error messages, prior to commit d86e185e485b6330216dee8e854455c694e3a36e allows attackers to potentially execute arbitrary code via crafted JavaScript. Note that this is only exploitable if the application using Hermes permits evaluation of untrusted JavaScript. Hence, most React Native applications are not affected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in Hermes error message emission allows arbitrary code execution via crafted JavaScript, though only exploitable if untrusted JS is evaluated.
Vulnerability
A use-after-free vulnerability exists in the Hermes JavaScript engine prior to commit d86e185e485b6330216dee8e854455c694e3a36e, specifically in the transientObjectPutErrorMessage function. The bug occurs when emitting certain error messages involving property assignment on transient objects; the getUTF16Ref method was called with a temporary allocator that could be reused, leading to a dangling pointer reference [1][3]. The fix introduces separate allocator instances (tmp1 and tmp2) and adds a precondition assertion that the allocator must be empty [3]. This vulnerability affects all versions of Hermes built before the referenced commit [1][4].
Exploitation
An attacker must be able to supply and execute arbitrary JavaScript code in a Hermes environment, such as an application that evaluates untrusted JavaScript. The attacker crafts JavaScript that triggers the specific error path during transient object property assignment, causing the engine to use a freed object. No authentication or special privileges are required beyond the ability to execute custom JavaScript; however, exploitation depends on the application permitting such evaluation. Most React Native applications do not do this and are therefore not affected [1][4].
Impact
Successful exploitation allows an attacker to execute arbitrary code within the context of the Hermes engine process. The use-after-free can be leveraged for memory corruption, leading to remote code execution (RCE) with the privileges of the application hosting the engine. The impact is limited to applications that evaluate untrusted JavaScript, and the severity is reduced for typical React Native deployments where only trusted code is run [1][4].
Mitigation
Users should update to Hermes commit d86e185e485b6330216dee8e854455c694e3a36e or any later release that includes this fix. The fix was made available on or before the disclosure date of June 15, 2021 [1][3][4]. For React Native applications that follow the Hermes release matching their React Native version, the patch is incorporated in the corresponding Hermes release. No workaround is detailed for unpatched versions, but the risk is minimal for most React Native apps as they typically do not evaluate untrusted JavaScript [1][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hermes-enginenpm | < 0.8.0 | 0.8.0 |
Affected products
2- Facebook/Hermesv5Range: commit prior to d86e185e485b6330216dee8e854455c694e3a36e
Patches
1d86e185e485bFix a bug in transient object property assignment and getUTF16Ref
2 files changed · +6 −5
include/hermes/VM/StringView.h+2 −2 modified@@ -319,9 +319,9 @@ class StringView { /// If the string is already UTF16, we return the pointer directly; /// otherwise (it's ASCII) we copy the string into the end of \p allocator, /// and \return a pointer to the beginning of this string in the allocator. - /// Note: \p allocator does not need to be empty when passed in. We always - /// append. + /// \pre allocator must be empty when passed in. UTF16Ref getUTF16Ref(llvh::SmallVectorImpl<char16_t> &allocator) const { + assert(allocator.empty() && "Shouldn't use a non-empty allocator"); return getUTF16Ref(allocator, false); }
lib/VM/Interpreter.cpp+4 −3 modified@@ -445,11 +445,12 @@ transientObjectPutErrorMessage(Runtime *runtime, Handle<> base, SymbolID id) { StringView valueAsStringPrintable = StringPrimitive::createStringView(runtime, valueAsString); - SmallU16String<32> tmp; + SmallU16String<32> tmp1; + SmallU16String<32> tmp2; return runtime->raiseTypeError( TwineChar16("Cannot create property '") + propName + "' on " + - baseTypeAsString.getUTF16Ref(tmp) + " '" + - valueAsStringPrintable.getUTF16Ref(tmp) + "'"); + baseTypeAsString.getUTF16Ref(tmp1) + " '" + + valueAsStringPrintable.getUTF16Ref(tmp2) + "'"); } ExecutionStatus Interpreter::putByIdTransient_RJS(
Vulnerability mechanics
Root cause
"Use-after-free caused by reusing the same temporary buffer for two `getUTF16Ref` calls, where the second call's append operation invalidates the reference returned by the first call."
Attack vector
An attacker who can supply crafted JavaScript to an application using the Hermes engine can trigger the `transientObjectPutErrorMessage` code path [patch_id=20852]. This occurs when a property assignment on a transient object fails, causing Hermes to construct an error message that calls `getUTF16Ref` twice with the same temporary buffer. The second call appends to the buffer, invalidating the `UTF16Ref` returned by the first call, leading to a use-after-free when the first reference is subsequently read. The precondition is that the application permits evaluation of untrusted JavaScript; most React Native applications do not meet this condition.
Affected code
The vulnerable code is in `lib/VM/Interpreter.cpp` in the function `transientObjectPutErrorMessage`, which constructs a type error message by calling `StringView::getUTF16Ref` twice with the same `SmallU16String<32>` temporary buffer. The `getUTF16Ref` method in `include/hermes/VM/StringView.h` appends to the provided allocator, which can invalidate a previously returned reference.
What the fix does
The patch introduces two separate temporary buffers (`tmp1` and `tmp2`) instead of reusing a single buffer (`tmp`) for the two `getUTF16Ref` calls in `transientObjectPutErrorMessage` [patch_id=20852]. Additionally, a precondition assertion (`allocator.empty()`) is added to `StringView::getUTF16Ref` to catch any future misuse of a non-empty allocator. This ensures that each `UTF16Ref` remains valid because no subsequent append operation can invalidate the other reference.
Preconditions
- inputAttacker must be able to supply crafted JavaScript to the Hermes engine.
- configThe application must permit evaluation of untrusted JavaScript (most React Native apps do not).
Generated on May 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-mph8-6787-r8hwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-24037ghsaADVISORY
- github.com/facebook/hermes/commit/d86e185e485b6330216dee8e854455c694e3a36eghsax_refsource_CONFIRMWEB
- www.facebook.com/security/advisories/CVE-2021-24037ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.