| Title | quickjs-ng quickjs v0.11.0 Use After Free |
|---|
| Description | A heap Use-After-Free (UAF) can be triggered in QuickJS-NG in js_atomics_store when coercing a user-supplied value executes arbitrary JS that resizes the underlying Resizable ArrayBuffer, invalidating a cached element pointer before the atomic write.
Root cause: js_atomics_store calls js_atomics_get_ptr, which caches a heap pointer (ptr) to the typed array element storage. During ret = JS_ToIntegerFree(...), side effects from arbitrary JS (e.g., valueOf) can resize the ArrayBuffer, moving/freeing the old backing store. The cached ptr becomes stale, and atomic_store((...)ptr, v); performs a write through a dangling pointer, causing a UAF.
Affected version: quickjs-ng/quickjs commit 537d004cd22b86373c262528c7e8076eaf76996d (tested on 2026-01-05).
Reproduction and ASAN crash details are publicly documented in: https://github.com/quickjs-ng/quickjs/issues/1301
Reporter credit: mcsky23 (Vlad Ionut Seba) |
|---|
| Source | ⚠️ https://github.com/quickjs-ng/quickjs/issues/1301 |
|---|
| User | mcsky23 (UID 94179) |
|---|
| Submission | 01/09/2026 07:55 PM (1 month ago) |
|---|
| Moderation | 01/18/2026 02:43 PM (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 341737 [quickjs-ng quickjs up to 0.11.0 Atomics Ops quickjs.c use after free] |
|---|
| Points | 20 |
|---|