CVE-2026-3979: QuickJS-ng Use After Free Vulnerability

CVE-2026-3979 Overview

A use after free vulnerability has been discovered in quickjs-ng QuickJS up to version 0.12.1. This memory corruption flaw affects the function js_iterator_concat_return within the file quickjs.c. When exploited, an attacker with local access can manipulate the affected function to trigger a use after free condition, potentially leading to arbitrary code execution, information disclosure, or denial of service.

Critical Impact
This use after free vulnerability in the JavaScript engine's iterator concatenation handling could allow local attackers to corrupt memory, potentially enabling code execution or causing application crashes in systems using QuickJS-ng for JavaScript parsing and execution.

Affected Products

quickjs-ng QuickJS versions up to 0.12.1
Applications and systems embedding QuickJS-ng JavaScript engine

Discovery Timeline

2026-03-12 - CVE CVE-2026-3979 published to NVD
2026-03-12 - Last updated in NVD database

Technical Details for CVE-2026-3979

Vulnerability Analysis

This vulnerability is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), which encompasses memory safety issues including use after free conditions. The flaw resides in the js_iterator_concat_return function within quickjs.c, a core component of the QuickJS JavaScript engine.

Use after free vulnerabilities occur when a program continues to reference memory after it has been freed, allowing an attacker to potentially control the contents of that memory region when it is reallocated. In this case, the iterator concatenation return handling does not properly manage object lifetimes, leading to a dangling pointer scenario.

The attack requires local access to the system, meaning an attacker must already have the ability to execute code or provide malicious JavaScript input to an application using the vulnerable QuickJS-ng library.

Root Cause

The root cause of CVE-2026-3979 lies in improper memory management within the js_iterator_concat_return function. The function fails to correctly handle object references during iterator concatenation operations, resulting in a scenario where memory is freed prematurely while references to that memory still exist. When the code subsequently attempts to access this freed memory, it results in undefined behavior that can be exploited by an attacker.

The fix has been implemented in commit daab4ad4bae4ef071ed0294618d6244e92def4cd, which addresses the object lifetime management issue in the iterator concatenation logic.

Attack Vector

The attack vector for this vulnerability requires local access to the target system. An attacker would need to either:

Execute malicious JavaScript code through an application using the vulnerable QuickJS-ng engine
Provide crafted input that triggers the vulnerable code path in js_iterator_concat_return

The vulnerability can be triggered through manipulation of iterator objects during concatenation operations. When the vulnerable function processes specially crafted iterator chains, the use after free condition can be triggered, potentially allowing the attacker to:

Execute arbitrary code within the context of the affected application
Cause denial of service through application crashes
Potentially leak sensitive information from memory

For technical details on the vulnerability mechanism, refer to the GitHub Issue #1368 and the associated commit that addresses the flaw.

Detection Methods for CVE-2026-3979

Indicators of Compromise

Unexpected crashes or segmentation faults in applications using QuickJS-ng JavaScript engine
Memory corruption errors in system logs related to QuickJS-ng processes
Abnormal memory access patterns or heap corruption detected by memory sanitizers
Suspicious JavaScript execution patterns involving iterator operations

Detection Strategies

Deploy memory sanitizers (AddressSanitizer, Valgrind) in testing environments to detect use after free conditions
Monitor application logs for signs of memory corruption or unexpected termination in QuickJS-ng-dependent applications
Implement runtime memory protection mechanisms that can detect heap corruption
Review application code for untrusted JavaScript input handling that could trigger the vulnerable code path

Monitoring Recommendations

Enable verbose logging for applications embedding QuickJS-ng to capture potential exploitation attempts
Monitor system stability and crash reports for patterns indicating memory corruption
Implement application-level monitoring for unusual iterator operation patterns
Consider deploying endpoint detection solutions capable of identifying memory corruption exploit techniques

How to Mitigate CVE-2026-3979

Immediate Actions Required

Update quickjs-ng QuickJS to a version that includes the security patch (commit daab4ad4bae4ef071ed0294618d6244e92def4cd)
Audit applications using QuickJS-ng to identify potential exposure points
Restrict the ability to execute untrusted JavaScript code through affected QuickJS-ng installations
Consider implementing sandboxing for applications that must process untrusted JavaScript

Patch Information

A patch has been released by the quickjs-ng project to address this vulnerability. The fix is available in commit daab4ad4bae4ef071ed0294618d6244e92def4cd. Organizations should apply this patch immediately or update to a version of QuickJS-ng that includes this fix.

For detailed information on the patch, refer to:

Workarounds

Limit exposure by disabling or restricting JavaScript execution capabilities in affected applications where possible
Implement input validation and sanitization for any JavaScript code processed by QuickJS-ng
Run QuickJS-ng in a sandboxed environment to limit the impact of potential exploitation
Monitor and restrict local access to systems running vulnerable QuickJS-ng versions

bash

# Update QuickJS-ng to the patched version
cd /path/to/quickjs-ng
git fetch origin
git checkout daab4ad4bae4ef071ed0294618d6244e92def4cd
make clean && make