Description
A flaw has been found in quickjs-ng quickjs up to 0.12.1. This affects the function js_iterator_concat_return of the file quickjs.c. This manipulation causes use after free. The attack requires local access. The exploit has been published and may be used. Patch name: daab4ad4bae4ef071ed0294618d6244e92def4cd. Applying a patch is the recommended action to fix this issue.
Published: 2026-03-12
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Use-After-Free
Action: Patch
AI Analysis

Impact

A use‑after‑free flaw is found in the js_iterator_concat_return function in quickjs.c of quickjs‑ng quickjs versions up to 0.12.1; the flaw allows local attackers to trigger memory corruption by providing crafted input, which can lead to process crashes or, in some situations, uncontrolled execution within the process. The vulnerability is classified as CWE‑416 and CWE‑119. The vendor indicates that an arbitrary pointer can be freed twice, enabling arbitrary memory writes.

Affected Systems

All installations of quickjs‑ng quickjs with version 0.12.1 or earlier are affected, including any environment that embeds or links against the library regardless of operating system because the defect resides in the core quickjs.c source.

Risk and Exploitability

The CVSS score of 4.8 denotes a moderate severity while the EPSS score of less than 1% indicates a low likelihood of widespread exploitation; the vulnerability is not listed in the CISA KEV catalog. An exploit has been published, and the attack requires local access to the environment in which the engine runs, meaning that any user who can invoke the JavaScript engine with crafted input can exploit the flaw.

Generated by OpenCVE AI on March 18, 2026 at 16:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch from commit daab4ad4bae4ef071ed0294618d6244e92def4cd to the quickjs source code.
  • Upgrade to a quickjs‑ng quickjs release newer than 0.12.1 that includes the fix.
  • Verify that the vulnerable function has been hardened and that no use‑after‑free remains in unit tests.

Generated by OpenCVE AI on March 18, 2026 at 16:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Quickjs-ng
Quickjs-ng quickjs
Vendors & Products Quickjs-ng
Quickjs-ng quickjs

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 03:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in quickjs-ng quickjs up to 0.12.1. This affects the function js_iterator_concat_return of the file quickjs.c. This manipulation causes use after free. The attack requires local access. The exploit has been published and may be used. Patch name: daab4ad4bae4ef071ed0294618d6244e92def4cd. Applying a patch is the recommended action to fix this issue.
Title quickjs-ng quickjs quickjs.c js_iterator_concat_return use after free
Weaknesses CWE-119
CWE-416
References
Metrics cvssV2_0

{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Quickjs-ng Quickjs
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-12T16:16:09.904Z

Reserved: 2026-03-11T14:26:13.418Z

Link: CVE-2026-3979

cve-icon Vulnrichment

Updated: 2026-03-12T13:45:17.104Z

cve-icon NVD

Status : Deferred

Published: 2026-03-12T04:16:40.440

Modified: 2026-04-22T21:30:26.497

Link: CVE-2026-3979

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:06Z

Weaknesses