Medium severity5.3NVD Advisory· Published Mar 12, 2026· Updated Apr 29, 2026

CVE-2026-3979

Description

A flaw has been found in quickjs-ng quickjs up to 0.12.1. This affects the function js_iterator_concat_return of the file quickjs.c. This manipulation causes use after free. The attack requires local access. The exploit has been published and may be used. Patch name: daab4ad4bae4ef071ed0294618d6244e92def4cd. Applying a patch is the recommended action to fix this issue.

Affected products

Quickjs Ng/Quickjsreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/quickjs-ng/quickjs/commit/daab4ad4bae4ef071ed0294618d6244e92def4cdnvd
github.com/quickjs-ng/quickjs/issues/1368nvd
github.com/quickjs-ng/quickjs/issues/1368nvd
github.com/quickjs-ng/quickjs/pull/1370nvd
vuldb.comnvd
vuldb.comnvd
vuldb.comnvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000