Volerion logoVolerion
Volerion logoVolerion

QuickJS-NG Uninitialized Memory Vulnerability in Mapped Arguments Garbage Collection Allows Arbitrary Code Execution

Vulnerability

A use-after-free vulnerability has been identified in QuickJS-NG version 0.12.1. The issue arises in the 'js_mapped_arguments_mark' function, where non-detached 'JSVarRef' entries in a mapped arguments fast array are not properly handled. This oversight leads to the use of uninitialized link pointers during garbage collection, creating a condition that can be exploited to execute arbitrary native code.

Impact

Exploitation of this vulnerability allows for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by creating a proof-of-concept script that manipulates the garbage collection process. This script should trigger the 'js_mapped_arguments_mark' function to process non-detached 'JSVarRef' entries, causing the garbage collector to access uninitialized memory. The AddressSanitizer will report a segmentation fault due to this invalid memory access, demonstrating the use-after-free condition.

Remediation

Users can upgrade to QuickJS-NG version 0.13.0, where this vulnerability has been fixed.

Added: May 11, 2026, 9:32 PM
Updated: May 11, 2026, 9:32 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
7.5
exploitability
5.5
remediation
7.7
relevance
8.0
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.