CVE-2021-24044
Description
By passing invalid javascript code where await and yield were called upon non-async and non-generator getter/setter functions, Hermes would invoke generator functions and error out on invalid await/yield positions. This could result in segmentation fault as a consequence of type confusion error, with a low chance of RCE. This issue affects Hermes versions prior to v0.10.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Hermes before v0.10.0, calling await or yield on non-async/non-generator getter/setter functions causes type confusion, leading to a segfault with a low chance of RCE.
Vulnerability
Hermes, a JavaScript engine optimized for React Native, contains a type confusion vulnerability in versions prior to v0.10.0. By passing invalid JavaScript code where await and yield are called upon non-async and non-generator getter/setter functions, Hermes incorrectly invokes generator functions and errors out on invalid await/yield positions [1][3]. This can result in a segmentation fault due to a type confusion error [1][3].
Exploitation
An attacker needs the ability to supply arbitrary JavaScript code to the Hermes engine, such as through a malicious React Native app or a crafted script. The attacker must craft code that triggers await or yield inside a getter or setter that is not declared async or yield* respectively. No special network position or authentication is required beyond the ability to run the code [1][3].
Impact
Successful exploitation causes a segmentation fault (crash) and could potentially lead to remote code execution (RCE), though the reference notes this is a low chance [1][3]. Confidentiality, integrity, and availability may be compromised if RCE is achieved, but the primary impact observed is denial of service via crash [1][3].
Mitigation
Facebook released a fix in Hermes version v0.10.0 [1][3]. Users should upgrade to v0.10.0 or later. No workarounds are documented. There is no indication this CVE is listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hermes-enginenpm | < 0.10.0 | 0.10.0 |
Affected products
2- Facebook/Hermesv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-7mhc-prgv-r3q4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-24044ghsaADVISORY
- www.facebook.com/security/advisories/cve-2021-24044ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.