CVE-2026-3979

NameCVE-2026-3979
DescriptionA flaw has been found in quickjs-ng quickjs up to 0.12.1. This affects the function js_iterator_concat_return of the file quickjs.c. This manipulation causes use after free. The attack requires local access. The exploit has been published and may be used. Patch name: daab4ad4bae4ef071ed0294618d6244e92def4cd. Applying a patch is the recommended action to fix this issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1120722

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
quickjs-ngITP1120722

Notes

Doesn't affect src:quickjs
https://github.com/quickjs-ng/quickjs/issues/1368
https://github.com/quickjs-ng/quickjs/pull/1370
Search for package or bug name: Reporting problems