| Title | quickjs-ng quickjs v0.11.0 Use After Free |
|---|
| Description | A heap Use-After-Free (UAF) can be triggered in QuickJS-NG in js_atomics_op when converting the user-supplied operand runs arbitrary JS that resizes the underlying Resizable ArrayBuffer, invalidating a cached element pointer before the atomic operation executes. This impacts all APIs implemented via js_atomics_op, including Atomics.add, Atomics.sub, Atomics.and, Atomics.or, Atomics.xor, Atomics.exchange, and Atomics.compareExchange.
Root cause: js_atomics_op calls js_atomics_get_ptr, which caches a heap pointer (ptr) to the typed array element storage. During JS_ToUint32(ctx, &v32, argv[2]), side effects from arbitrary JS (e.g., valueOf) can resize the ArrayBuffer, moving/freeing the old backing store. The cached ptr becomes stale, and the subsequent atomic operation performed through ptr triggers a UAF.
Affected version: quickjs-ng/quickjs commit 537d004cd22b86373c262528c7e8076eaf76996d (tested on 2026-01-05).
Reproduction and ASAN crash details are publicly documented in: https://github.com/quickjs-ng/quickjs/issues/1302
Reporter credit: mcsky23(Vlad Ionut Seba) |
|---|
| Source | ⚠️ https://github.com/quickjs-ng/quickjs/issues/1302 |
|---|
| User | mcsky23 (UID 94179) |
|---|
| Submission | 01/09/2026 08:01 PM (1 month ago) |
|---|
| Moderation | 01/18/2026 02:43 PM (9 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 341737 [quickjs-ng quickjs up to 0.11.0 Atomics Ops quickjs.c use after free] |
|---|
| Points | 0 |
|---|