| Titel | quickjs-ng QuickJS 0.12.1 Use-After-Free |
|---|
| Beschreibung | Heap-use-after-free in Iterator.concat (js_iterator_concat_next) due to reentrancy.
During Iterator.concat.next(), QuickJS-NG stores pointers to iterator state entries, then executes user-controlled @@iterator code
before reentrancy is fully blocked. A reentrant call to it.return() frees/advances internal entries; execution then resumes and
frees stale values again, causing stale-value double release and resulting heap-use-after-free.
Reproduced on quickjs-ng 0.12.1 (commit ae7fc2b2c018c9b1410eacfb985f5b966c98b3e4) with ASan.
PoC and ASan trace: https://github.com/quickjs-ng/quickjs/issues/1368
Additionally, in my local testing environment, I was able to escalate this bug to arbitrary code execution (RCE).
Reporter credit: im-razvan (Iacob Razvan Mihai) |
|---|
| Quelle | ⚠️ https://github.com/quickjs-ng/quickjs/issues/1368 |
|---|
| Benutzer | im-razvan (UID 91857) |
|---|
| Einreichung | 28.02.2026 15:22 (vor 1 Monat) |
|---|
| Moderieren | 11.03.2026 15:26 (11 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 350414 [quickjs-ng quickjs bis 0.12.1 quickjs.c js_iterator_concat_return Pufferüberlauf] |
|---|
| Punkte | 20 |
|---|