Intel

AIKIDO-2026-776928

react-native-audio-api is vulnerable to Use-After-Free

Use-After-Free Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Today

29

Low Risk

This Affects:

JSreact-native-audio-api
0.12.0 - 0.12.1
Fixed in 0.12.2
Are you affected? Scan for Free

TL;DR

The native audio recorder callback on Android and iOS forwards the operating-system-owned capture buffer directly to a worker thread through an asynchronous offloader. The operating system reclaims that buffer once the synchronous callback returns, so the offloader thread reads and processes memory that has already been freed. This use-after-free can crash the application or expose stale heap contents whenever audio recording is active. The fix copies the callback audio data into an owned buffer before the async handoff and frees that copy after the worker thread finishes processing it.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and use the audio recorder feature.

Background info

react-native-audio-api is vulnerable to Use-After-Free in versions 0.12.0 - 0.12.1.

How to fix this

Upgrade the react-native-audio-api library to the patch version.