Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.8
QuickJS up to 0.12.1 allows local attackers to crash the system
CVE-2026-3979
Summary
A security flaw in QuickJS, a JavaScript engine, can be exploited by a local attacker with access to the system. This can cause the system to crash. To fix this issue, apply the available patch.
Original title
A flaw has been found in quickjs-ng quickjs up to 0.12.1. This affects the function js_iterator_concat_return of the file quickjs.c. This manipulation causes use after free. The attack requires loc...
Original description
A flaw has been found in quickjs-ng quickjs up to 0.12.1. This affects the function js_iterator_concat_return of the file quickjs.c. This manipulation causes use after free. The attack requires local access. The exploit has been published and may be used. Patch name: daab4ad4bae4ef071ed0294618d6244e92def4cd. Applying a patch is the recommended action to fix this issue.
nvd CVSS2.0
4.3
nvd CVSS3.1
5.3
nvd CVSS4.0
4.8
Vulnerability type
CWE-119
Buffer Overflow
CWE-416
Use After Free
- https://github.com/quickjs-ng/quickjs/
- https://github.com/quickjs-ng/quickjs/commit/daab4ad4bae4ef071ed0294618d6244e92d...
- https://github.com/quickjs-ng/quickjs/issues/1368
- https://github.com/quickjs-ng/quickjs/issues/1368#issue-4004680962
- https://github.com/quickjs-ng/quickjs/pull/1370
- https://vuldb.com/?ctiid.350414
- https://vuldb.com/?id.350414
- https://vuldb.com/?submit.769600
Published: 12 Mar 2026 · Updated: 13 Mar 2026 · First seen: 12 Mar 2026