CVE-2026-3979 identifies a use-after-free vulnerability in the quickjs-ng quickjs JavaScript engine, affecting versions 0.12.0 and 0.12.1. The vulnerability resides in the function js_iterator_concat_return within the quickjs.c source file. Use-after-free occurs when the program continues to use memory after it has been freed, leading to memory corruption, crashes, or potentially arbitrary code execution. This specific flaw can be triggered by a local attacker with limited privileges (PR:L) without requiring user interaction (UI:N). The attack vector is local (AV:L), meaning the attacker must have access to execute code on the target system. The vulnerability impacts confidentiality, integrity, and availability to a limited extent (VC:L, VI:L, VA:L), as the scope is local and exploitation complexity is low (AC:L). The exploit has been publicly disclosed, increasing the risk of exploitation despite no known widespread attacks. The recommended remediation is to apply the patch identified by commit daab4ad4bae4ef071ed0294618d6244e92def4cd, which corrects the memory management flaw in the affected function. Quickjs is a lightweight JavaScript engine often embedded in applications and devices, so the vulnerability could affect a range of software depending on quickjs-ng usage.

The use-after-free vulnerability in quickjs-ng quickjs can lead to memory corruption, causing application crashes or potentially enabling local privilege escalation or arbitrary code execution. Since exploitation requires local access, remote attacks are not feasible without prior compromise. However, attackers who gain limited local access could leverage this flaw to escalate privileges or disrupt services. This could impact embedded devices, development tools, or applications embedding quickjs, especially those running on Linux or other systems where local user access is common. The vulnerability could result in denial of service or compromise of confidentiality and integrity of the affected system. Organizations relying on quickjs-ng in their software stacks may face increased risk of insider threats or attacks from compromised local accounts. The medium CVSS score reflects moderate risk but should not be underestimated due to the availability of a public exploit.

Organizations should promptly apply the patch identified by commit daab4ad4bae4ef071ed0294618d6244e92def4cd to all affected versions of quickjs-ng quickjs (0.12.0 and 0.12.1). Beyond patching, restrict local access to systems running quickjs to trusted users only and implement strict access controls and monitoring to detect suspicious local activity. Employ memory protection mechanisms such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) to reduce exploitation success. Conduct code audits and fuzz testing on applications embedding quickjs to identify similar memory management issues. For environments where patching is delayed, consider isolating or sandboxing applications using quickjs to limit impact. Maintain up-to-date inventories of software dependencies to quickly identify affected components. Finally, educate developers and system administrators about the risks of local vulnerabilities and the importance of timely patching.