Use-after-free in Deno - CVE-2024-27934

 

Use-after-free in Deno - CVE-2024-27934

Published: March 5, 2024 / Updated: April 23, 2026


Vulnerability identifier: #VU127050
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-27934
CWE-ID: CWE-416
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Deno Land
Affected software:
Deno

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to use-after-free in *const c_void and ExternalPointer handling when executing attacker-controlled code inside the Deno runtime. A remote user can trigger reuse of a freed underlying structure to execute arbitrary code.

The issue is exploitable regardless of granted permissions, and exploitation of the ExternalPointer variant may require derandomizing the PIE base address.


How to mitigate CVE-2024-27934

Install security update from vendor's website.

Sources