CVE-2025-70347
Awaiting Analysis Awaiting Analysis - Queue
Denial of Service in mquickjs get_mblock_size Function

Publication date: 2026-02-10

Last updated on: 2026-02-18

Assigner: MITRE

Description
An issue in mquickjs before commit 74b7e (2026-01-15) allows a local attacker to cause a denial of service via a crafted file to the get_mblock_size function at mquickjs.c.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-10
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-10
EPSS Evaluated
2026-06-14
NVD
CVE-2025-70347
EUVD
EUVD-2025-207260
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bellard mquickjs to 74b7e (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2025-70347 vulnerability is a flaw in the mquickjs program, specifically in the function get_mblock_size within the source file mquickjs.c. It causes a segmentation fault (SEGV) due to a read memory access violation during execution. This fault occurs when processing a crafted file, leading to a crash triggered by AddressSanitizer. The issue is linked to an error raised when the array length is modified in Array.prototype.splice, which is difficult to handle practically.

Impact Analysis

This vulnerability can cause a denial of service (DoS) by crashing the mquickjs program when it processes a specially crafted file. The segmentation fault leads to an abort of the program, potentially disrupting services or applications that rely on mquickjs.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by reproducing the crash in the mqjs executable using a crafted proof-of-concept file that triggers the segmentation fault in the get_mblock_size function.

Detection steps include cloning the bellard/mquickjs repository, building the project with the command `make -j12`, and then running the mqjs executable with debugging enabled on the provided proof-of-concept file named `poc-get_mblock_size-SEGV`.

Specifically, running the mqjs program with the crafted file will cause a segmentation fault detected by AddressSanitizer, indicating the presence of the vulnerability.

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-70347. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart