关键漏洞信息 Title: quickjs-ng quickjs v0.11.0 Use After Free Description: - A heap Use-After-Free (UAF) can be triggered in QuickJS-NG in js_atomics_op when converting the user-supplied operand runs arbitrary JS that resizes the underlying Resizable ArrayBuffer, invalidating a cached element pointer before the atomic operation executes. This impacts all APIs implemented via js_atomics_op, including Atomics.add, Atomics.sub, Atomics.and, Atomics.or, Atomics.xor, Atomics.exchange, and Atomics.compareExchange. - Root cause: js_atomics_op calls js_atomics_get_ptr, which caches a heap pointer (ptr) to the typed array element storage. During JS_ToUint32(ctx, &v32, argv[2]), side effects from arbitrary JS can resize the ArrayBuffer, moving/freeing the old backing store. The cached ptr becomes stale, and the subsequent atomic operation performed through ptr triggers a UAF. - Affected version: quickjs-ng/quickjs commit 537d004cd22b86373c262528c7e8076ea676996d (tested on 2026-01-05). - Reproduction and ASAN crash details are documented in: https://github.com/quickjs-ng/quickjs/issues/1302 - Reporter credit: mcsky23 (Vlad Ionut Seba) Source: https://github.com/quickjs-ng/quickjs/issues/1302 User: mcsky23 (UID 94179) Submission: 01/09/2026 08:01 PM (10 days ago) Moderation: 01/18/2026 02:43 PM (9 days later) Status: Duplicate VulDB entry: 341737 [quickjs-ng quickjs up to 0.11.0 Atomics Ops quickjs.c use after free] Points: 0