CVE-2026-3979
Use-After-Free in QuickJS js_iterator_concat_return Function
Publication date: 2026-03-12
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| quickjs-ng | quickjs | to 0.12.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3979 is a heap use-after-free vulnerability in the quickjs-ng QuickJS JavaScript engine, affecting versions up to 0.12.1. The flaw exists in the function js_iterator_concat_return within quickjs.c, where improper memory handling leads to referencing memory after it has been freed. This occurs due to re-entrancy during the Iterator.concat.next() operation, where user-controlled JavaScript code can cause internal iterator entries to be freed prematurely and then accessed again, causing a double free and heap corruption.
The vulnerability requires local access to exploit and has a publicly available proof-of-concept. It can cause program crashes, unexpected behavior, or potentially arbitrary code execution by manipulating the iterator concatenation logic.
How can this vulnerability impact me? :
This vulnerability can impact you by causing crashes or instability in applications using the affected QuickJS engine. More critically, it can be exploited to execute arbitrary code locally, compromising the confidentiality, integrity, and availability of the affected system.
Since the exploit requires local access, an attacker with such access could leverage this flaw to escalate privileges or execute malicious code, potentially leading to full system compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability is a use-after-free flaw in the QuickJS JavaScript engine that requires local access and involves manipulation of iterators in JavaScript code. Detection typically involves analyzing the behavior of the QuickJS engine when running JavaScript code that uses iterators, especially looking for crashes or abnormal behavior caused by use-after-free conditions.'}, {'type': 'paragraph', 'content': "A proof-of-concept test case named `tests/bug1368.js` was created to reproduce the issue. This test involves an object with a custom `[Symbol.iterator]` method that triggers the vulnerability by calling the iterator's `return()` method during iteration."}, {'type': 'paragraph', 'content': 'To detect the vulnerability on your system, you can run the provided test case or similar JavaScript code that exercises the iterator concatenation logic in QuickJS and observe for crashes or memory errors.'}, {'type': 'paragraph', 'content': 'Using AddressSanitizer (ASan) or similar memory error detection tools while running QuickJS with the test case can help identify use-after-free errors.'}, {'type': 'paragraph', 'content': 'No specific network commands are applicable since the exploit requires local access and is triggered by local JavaScript execution.'}] [2, 4, 5]
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation is to apply the official patch identified by commit `daab4ad4bae4ef071ed0294618d6244e92def4cd` which fixes the use-after-free vulnerability by safely freeing iterator values and nullifying pointers to prevent dangling references.
Updating the QuickJS engine to a version that includes this patch (post version 0.12.1) will mitigate the vulnerability.
Avoid running untrusted or malicious JavaScript code locally in QuickJS environments until the patch is applied.
Monitor for any unusual crashes or behavior in QuickJS that may indicate exploitation attempts.