CVE-2023-48184

Publication date 23 April 2024

Last updated 15 April 2025

Ubuntu priority

QuickJS before 7414e5f has a quickjs.h JS_FreeValueRT use-after-free because of incorrect garbage collection of async functions with closures.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
quickjs	24.10 oracular	Not affected
	24.04 LTS noble	Fixed 2021.03.27-1ubuntu0.1~esm1 Ubuntu Pro
	23.10 mantic	Ignored end of life, was needs-triage
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Not in release

How can I get the fixes?
What do statuses mean?

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-7439-1
QuickJS vulnerabilities
15 April 2025

Other references

https://www.cve.org/CVERecord?id=CVE-2023-48184
https://github.com/bellard/quickjs/issues/198
https://github.com/bellard/quickjs/issues/156
https://github.com/bellard/quickjs/commit/7414e5f67f9a404f3cf91ffa69d0c93bf46d099e