Description
A vulnerability was identified in quickjs-ng quickjs up to 0.11.0. This issue affects the function js_typed_array_sort of the file quickjs.c. The manipulation leads to heap-based buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The identifier of the patch is 53eefbcd695165a3bd8c584813b472cb4a69fbf5. To fix this issue, it is recommended to deploy a patch.
Published: 2026-01-10
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

The vulnerability resides in the js_typed_array_sort function of QuickJS, a lightweight JavaScript engine. A malformed input can trigger a heap-based buffer overflow during sorting, allowing an attacker to corrupt memory and potentially execute arbitrary code. Because the overflow occurs in a public JavaScript API, remote exploitation is feasible and a proof‑of‑concept exploit has been released.

Affected Systems

Affected users are those running QuickJS from the quickjs-ng project, versions up to and including 0.11.0. Any deployment that incorporates these software versions without the documented patch is vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low but non‑zero likelihood of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers would need to supply malicious JavaScript executed by the engine, which is typically possible in web servers or embedded devices that expose QuickJS directly. Mitigation requires applying the fix identified by commit 53eefbcd695165a3bd8c584813b472cb4a69fbf5 to move to a patched release.

Generated by OpenCVE AI on April 18, 2026 at 07:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch corresponding to commit 53eefbcd695165a3bd8c584813b472cb4a69fbf5 to move to a non‑vulnerable QuickJS release.
  • If a patched release is unavailable, upgrade to any QuickJS version newer than 0.11.0 once it becomes available; check the project’s release notes for confirmation.
  • As a temporary measure, constrain the size of data passed to js_typed_array_sort and perform strict length validation, or remove the use of this API in untrusted contexts.

Generated by OpenCVE AI on April 18, 2026 at 07:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
References

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
CPEs cpe:2.3:a:quickjs-ng:quickjs:*:*:*:*:*:*:*:*

Mon, 12 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Quickjs-ng
Quickjs-ng quickjs
Vendors & Products Quickjs-ng
Quickjs-ng quickjs

Sun, 11 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Sat, 10 Jan 2026 13:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in quickjs-ng quickjs up to 0.11.0. This issue affects the function js_typed_array_sort of the file quickjs.c. The manipulation leads to heap-based buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The identifier of the patch is 53eefbcd695165a3bd8c584813b472cb4a69fbf5. To fix this issue, it is recommended to deploy a patch.
Title quickjs-ng quickjs quickjs.c js_typed_array_sort heap-based overflow
Weaknesses CWE-119
CWE-122
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Quickjs-ng Quickjs
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T08:28:11.224Z

Reserved: 2026-01-09T18:24:23.935Z

Link: CVE-2026-0822

cve-icon Vulnrichment

Updated: 2026-01-12T18:30:44.475Z

cve-icon NVD

Status : Modified

Published: 2026-01-10T14:15:50.087

Modified: 2026-02-23T09:16:38.337

Link: CVE-2026-0822

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-10T13:32:08Z

Links: CVE-2026-0822 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:15:25Z

Weaknesses