From 3e9ae1bca07f8155bc4249a21ec41ca2c86fdb93 Mon Sep 17 00:00:00 2001
From: Oblivionsage <126214490+Oblivionsage@users.noreply.github.com>
Date: Fri, 26 Dec 2025 16:53:42 +0100
Subject: [PATCH] unix: remove handle from queue on uv_spawn() error (#4980)

If uv_spawn() fails after uv__handle_init() has been called, the handle
remains in loop->handle_queue. This causes use-after-free if the handle
is stack-allocated or freed, and a subsequent loop operation like
uv_walk() accesses it.

This follows the same pattern as uv_tcp_init_ex() which explicitly
removes the handle from the queue on error.
---
 src/unix/process.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/unix/process.c b/src/unix/process.c
index 43e6b7984..539e7d941 100644
--- a/src/unix/process.c
+++ b/src/unix/process.c
@@ -1073,6 +1073,7 @@ int uv_spawn(uv_loop_t* loop,
   return exec_errorno;
 
 error:
+  uv__queue_remove(&process->handle_queue);
   if (pipes != NULL) {
     for (i = 0; i < stdio_count; i++) {
       if (i < options->stdio_count)