CVE-2023-48184

EUVD-2023-52264
QuickJS before 7414e5f has a quickjs.h JS_FreeValueRT use-after-free because of incorrect garbage collection of async functions with closures.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.9 LOW
ADJACENT_NETWORK
HIGH
HIGH
CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
CISA-ADPADP
3.9 LOW
ADJACENT_NETWORK
HIGH
HIGH
CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
Affected Products (NVD)
VendorProductVersion
quickjs_projectquickjs
𝑥
< 2023-12-27
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
quickjs
sid
2024.01.13-5
fixed
trixie
2024.01.13-5
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
quickjs
focal
dne
jammy
dne
mantic
ignored
noble
needs-triage
oracular
not-affected
Common Weakness Enumeration
References
https://github.com/bellard/quickjs/issues/198
https://github.com/bellard/quickjs/issues/198