{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3979", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-11T14:26:13.418Z", "datePublished": "2026-03-12T03:32:14.860Z", "dateUpdated": "2026-03-12T16:16:09.904Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-12T03:32:14.860Z"}, "title": "quickjs-ng quickjs quickjs.c js_iterator_concat_return use after free", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-416", "lang": "en", "description": "Use After Free"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-119", "lang": "en", "description": "Memory Corruption"}]}], "affected": [{"vendor": "quickjs-ng", "product": "quickjs", "versions": [{"version": "0.12.0", "status": "affected"}, {"version": "0.12.1", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in quickjs-ng quickjs up to 0.12.1. This affects the function js_iterator_concat_return of the file quickjs.c. This manipulation causes use after free. The attack requires local access. The exploit has been published and may be used. Patch name: daab4ad4bae4ef071ed0294618d6244e92def4cd. Applying a patch is the recommended action to fix this issue."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-03-11T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-11T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-11T15:31:30.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "im-razvan (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.350414", "name": "VDB-350414 | quickjs-ng quickjs quickjs.c js_iterator_concat_return use after free", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.350414", "name": "VDB-350414 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.769600", "name": "Submit #769600 | quickjs-ng QuickJS 0.12.1 Use-After-Free", "tags": ["third-party-advisory"]}, {"url": "https://github.com/quickjs-ng/quickjs/issues/1368", "tags": ["issue-tracking"]}, {"url": "https://github.com/quickjs-ng/quickjs/pull/1370", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/quickjs-ng/quickjs/issues/1368#issue-4004680962", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/quickjs-ng/quickjs/commit/daab4ad4bae4ef071ed0294618d6244e92def4cd", "tags": ["patch"]}, {"url": "https://github.com/quickjs-ng/quickjs/", "tags": ["product"]}], "tags": ["x_open-source"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T13:45:12.778902Z", "id": "CVE-2026-3979", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T16:16:09.904Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3979", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T13:45:12.778902Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T13:45:17.104Z"}}], "cna": {"tags": ["x_open-source"], "title": "quickjs-ng quickjs quickjs.c js_iterator_concat_return use after free", "credits": [{"lang": "en", "type": "reporter", "value": "im-razvan (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "affected": [{"vendor": "quickjs-ng", "product": "quickjs", "versions": [{"status": "affected", "version": "0.12.0"}, {"status": "affected", "version": "0.12.1"}]}], "timeline": [{"lang": "en", "time": "2026-03-11T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-11T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-11T15:31:30.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.350414", "name": "VDB-350414 | quickjs-ng quickjs quickjs.c js_iterator_concat_return use after free", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.350414", "name": "VDB-350414 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.769600", "name": "Submit #769600 | quickjs-ng QuickJS 0.12.1 Use-After-Free", "tags": ["third-party-advisory"]}, {"url": "https://github.com/quickjs-ng/quickjs/issues/1368", "tags": ["issue-tracking"]}, {"url": "https://github.com/quickjs-ng/quickjs/pull/1370", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/quickjs-ng/quickjs/issues/1368#issue-4004680962", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/quickjs-ng/quickjs/commit/daab4ad4bae4ef071ed0294618d6244e92def4cd", "tags": ["patch"]}, {"url": "https://github.com/quickjs-ng/quickjs/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in quickjs-ng quickjs up to 0.12.1. This affects the function js_iterator_concat_return of the file quickjs.c. This manipulation causes use after free. The attack requires local access. The exploit has been published and may be used. Patch name: daab4ad4bae4ef071ed0294618d6244e92def4cd. Applying a patch is the recommended action to fix this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "Use After Free"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "Memory Corruption"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-12T03:32:14.860Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3979", "state": "PUBLISHED", "dateUpdated": "2026-03-12T16:16:09.904Z", "dateReserved": "2026-03-11T14:26:13.418Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-12T03:32:14.860Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in quickjs-ng quickjs up to 0.12.1. This affects the function js_iterator_concat_return of the file quickjs.c. This manipulation causes use after free. The attack requires local access. The exploit has been published and may be used. Patch name: daab4ad4bae4ef071ed0294618d6244e92def4cd. Applying a patch is the recommended action to fix this issue."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en quickjs-ng quickjs hasta la versi\u00f3n 0.12.1. Esto afecta a la funci\u00f3n js_iterator_concat_return del archivo quickjs.c. Esta manipulaci\u00f3n causa uso despu\u00e9s de liberar. El ataque requiere acceso local. El exploit ha sido publicado y puede ser utilizado. Nombre del parche: daab4ad4bae4ef071ed0294618d6244e92def4cd. Aplicar un parche es la acci\u00f3n recomendada para solucionar este problema."}], "id": "CVE-2026-3979", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-12T04:16:40.440", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/quickjs-ng/quickjs/"}, {"source": "cna@vuldb.com", "url": "https://github.com/quickjs-ng/quickjs/commit/daab4ad4bae4ef071ed0294618d6244e92def4cd"}, {"source": "cna@vuldb.com", "url": "https://github.com/quickjs-ng/quickjs/issues/1368"}, {"source": "cna@vuldb.com", "url": "https://github.com/quickjs-ng/quickjs/issues/1368#issue-4004680962"}, {"source": "cna@vuldb.com", "url": "https://github.com/quickjs-ng/quickjs/pull/1370"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.350414"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.350414"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.769600"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-416"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.12.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.12.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "quickjs", "source": "cna", "vendor": "quickjs-ng"}, "product": "quickjs", "vendor": "quickjs-ng"}], "analysis": {"en": {"generated_at": "2026-03-18T16:06:29.354820+00:00", "value": {"mitigation_remediation": ["Apply the patch from commit daab4ad4bae4ef071ed0294618d6244e92def4cd to the quickjs source code.", "Upgrade to a quickjs\u2011ng quickjs release newer than 0.12.1 that includes the fix.", "Verify that the vulnerable function has been hardened and that no use\u2011after\u2011free remains in unit tests."], "summary": {"action": "Patch", "impact": "Use-After-Free"}, "threat_synthesis": {"affected_systems": "All installations of quickjs\u2011ng quickjs with version 0.12.1 or earlier are affected, including any environment that embeds or links against the library regardless of operating system because the defect resides in the core quickjs.c source.", "description_and_impact": "A use\u2011after\u2011free flaw is found in the js_iterator_concat_return function in quickjs.c of quickjs\u2011ng quickjs versions up to 0.12.1; the flaw allows local attackers to trigger memory corruption by providing crafted input, which can lead to process crashes or, in some situations, uncontrolled execution within the process. The vulnerability is classified as CWE\u2011416 and CWE\u2011119. The vendor indicates that an arbitrary pointer can be freed twice, enabling arbitrary memory writes.", "risk_and_exploitability": "The CVSS score of 4.8 denotes a moderate severity while the EPSS score of less than 1% indicates a low likelihood of widespread exploitation; the vulnerability is not listed in the CISA KEV catalog. An exploit has been published, and the attack requires local access to the environment in which the engine runs, meaning that any user who can invoke the JavaScript engine with crafted input can exploit the flaw."}}}}, "created": "2026-03-13T09:53:37.574587+00:00", "updated": "2026-03-20T15:36:06.159853+00:00", "vendors": ["quickjs-ng", "quickjs-ng$PRODUCT$quickjs"]}