CVE-2021-46322

An attacker provides a crafted JavaScript file (poc.js) that defines a function with 10,000 local variables and reassigns `arguments` to the function's own return value. When the function is called, the internal environment record closing logic dereferences a stale or out-of-bounds pointer, causing a segmentation fault [ref_id=1]. The bug is reachable without authentication or special network access — simply executing the malicious script triggers the crash.

The crash occurs in `duk_push_tval` at `duktape/duk_api_stack.c:4314`, called from `duk_js_close_environment_record` in `duktape/duk_js_var.c:724` during environment record closing. The unwinding path (`duk__activation_unwind_nofree_norz`, `duk_hthread_stacks.c:278`) triggers the invalid memory access when a function with a large number of local variables and a reassigned `arguments` object is executed [ref_id=1].

The advisory does not include a published patch. The issue report [ref_id=1] only documents the crash and stack trace; no fix commit or remediation guidance is provided in the bundle. Users are left to avoid the triggering pattern (large number of locals combined with `arguments` reassignment) until a fix is released.

Run the provided poc.js against a Duktape v2.99.99 build:

```bash $ ./duktape/build/duk-sanitize-clang poc.js ```

Or without sanitizers:

```bash $ ./duktape/build/duk poc.js ```

Both will produce a segmentation fault [ref_id=1].