CVE-2026-3979
Received Received - Intake
Use-After-Free in QuickJS js_iterator_concat_return Function

Publication date: 2026-03-12

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in quickjs-ng quickjs up to 0.12.1. This affects the function js_iterator_concat_return of the file quickjs.c. This manipulation causes use after free. The attack requires local access. The exploit has been published and may be used. Patch name: daab4ad4bae4ef071ed0294618d6244e92def4cd. Applying a patch is the recommended action to fix this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3979
EUVD
EUVD-2026-11519
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
quickjs-ng quickjs to 0.12.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3979 is a heap use-after-free vulnerability in the quickjs-ng QuickJS JavaScript engine, affecting versions up to 0.12.1. The flaw exists in the function js_iterator_concat_return within quickjs.c, where improper memory handling leads to referencing memory after it has been freed. This occurs due to re-entrancy during the Iterator.concat.next() operation, where user-controlled JavaScript code can cause internal iterator entries to be freed prematurely and then accessed again, causing a double free and heap corruption.

The vulnerability requires local access to exploit and has a publicly available proof-of-concept. It can cause program crashes, unexpected behavior, or potentially arbitrary code execution by manipulating the iterator concatenation logic.

Impact Analysis

This vulnerability can impact you by causing crashes or instability in applications using the affected QuickJS engine. More critically, it can be exploited to execute arbitrary code locally, compromising the confidentiality, integrity, and availability of the affected system.

Since the exploit requires local access, an attacker with such access could leverage this flaw to escalate privileges or execute malicious code, potentially leading to full system compromise.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability is a use-after-free flaw in the QuickJS JavaScript engine that requires local access and involves manipulation of iterators in JavaScript code. Detection typically involves analyzing the behavior of the QuickJS engine when running JavaScript code that uses iterators, especially looking for crashes or abnormal behavior caused by use-after-free conditions.'}, {'type': 'paragraph', 'content': "A proof-of-concept test case named `tests/bug1368.js` was created to reproduce the issue. This test involves an object with a custom `[Symbol.iterator]` method that triggers the vulnerability by calling the iterator's `return()` method during iteration."}, {'type': 'paragraph', 'content': 'To detect the vulnerability on your system, you can run the provided test case or similar JavaScript code that exercises the iterator concatenation logic in QuickJS and observe for crashes or memory errors.'}, {'type': 'paragraph', 'content': 'Using AddressSanitizer (ASan) or similar memory error detection tools while running QuickJS with the test case can help identify use-after-free errors.'}, {'type': 'paragraph', 'content': 'No specific network commands are applicable since the exploit requires local access and is triggered by local JavaScript execution.'}] [2, 4, 5]

Mitigation Strategies

The recommended immediate mitigation is to apply the official patch identified by commit `daab4ad4bae4ef071ed0294618d6244e92def4cd` which fixes the use-after-free vulnerability by safely freeing iterator values and nullifying pointers to prevent dangling references.

Updating the QuickJS engine to a version that includes this patch (post version 0.12.1) will mitigate the vulnerability.

Avoid running untrusted or malicious JavaScript code locally in QuickJS environments until the patch is applied.

Monitor for any unusual crashes or behavior in QuickJS that may indicate exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3979. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart