| Title | quickjs-ng QuickJS 0.12.1 Use-After-Free |
|---|
| Description | Heap-use-after-free in Iterator.concat (js_iterator_concat_next) due to reentrancy.
During Iterator.concat.next(), QuickJS-NG stores pointers to iterator state entries, then executes user-controlled @@iterator code
before reentrancy is fully blocked. A reentrant call to it.return() frees/advances internal entries; execution then resumes and
frees stale values again, causing stale-value double release and resulting heap-use-after-free.
Reproduced on quickjs-ng 0.12.1 (commit ae7fc2b2c018c9b1410eacfb985f5b966c98b3e4) with ASan.
PoC and ASan trace: https://github.com/quickjs-ng/quickjs/issues/1368
Additionally, in my local testing environment, I was able to escalate this bug to arbitrary code execution (RCE).
Reporter credit: im-razvan (Iacob Razvan Mihai) |
|---|
| Source | ⚠️ https://github.com/quickjs-ng/quickjs/issues/1368 |
|---|
| User | im-razvan (UID 91857) |
|---|
| Submission | 02/28/2026 15:22 (1 month ago) |
|---|
| Moderation | 03/11/2026 15:26 (11 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 350414 [quickjs-ng quickjs up to 0.12.1 quickjs.c js_iterator_concat_return use after free] |
|---|
| Points | 20 |
|---|