Cyber Resilience

CVE-2023-36109

CriticalPublic PoC

Published: 20 September 2023

Published
20 September 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2036 95.7th percentile
Risk Priority 32 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-36109 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Jerryscript Jerryscript. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 4.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-36109 is a buffer overflow vulnerability in JerryScript version 3.0 that resides in the ecma_stringbuilder_append_raw function within the file /jerry-core/ecma/base/ecma-helpers-string.c. The flaw is tracked under CWE-120 and carries a CVSS 3.1 score of 9.8, reflecting a network-accessible attack that requires no authentication or user interaction.

Remote, unauthenticated attackers can supply crafted input that triggers the overflow, resulting in arbitrary code execution on the affected system. The vulnerability is exploitable over the network with low attack complexity, allowing an adversary to achieve full control of the process memory and execute attacker-supplied code.

Public references consist of a proof-of-concept repository and an associated issue filed in the JerryScript project tracker; neither source describes patches, workarounds, or mitigation steps. The associated EPSS score stands at 0.2036 with no indicated change from its recorded peak.

EU & UK References

Vulnerability details

Buffer Overflow vulnerability in JerryScript version 3.0, allows remote attackers to execute arbitrary code via ecma_stringbuilder_append_raw component at /jerry-core/ecma/base/ecma-helpers-string.c.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

jerryscript
jerryscript
3.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-120

Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.

References