Description
A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue.
Published: 2026-01-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Exploitation via Use-After-Free
Action: Patch
AI Analysis

Impact

A use‑after‑free flaw (CWE‑416) has been identified in the Atomics Ops handler inside quickjs.c of quickjs‑ng quickjs up to version 0.11.0. When an attacker manipulates the relevant function, the execution path references freed memory, potentially corrupting the runtime state. The CVE entry states that the attack can be executed remotely and that an exploit is publicly available, but it does not explicitly claim arbitrary code execution; the primary impact is memory corruption that could lead to unintended behavior.

Affected Systems

The vulnerability affects the quickjs‑ng quickjs product for all releases through 0.11.0. The specific subcomponent is the Atomics Ops handler in quickjs.c, though no finer‑grained NVD or vendor data specifies a narrower scope. Systems that expose the Atomics Ops interface to external callers are the ones at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, and the EPSS score of less than 1% suggests a very low probability of exploitation in the open network. This issue is not listed in the CISA KEV catalog. Attackers can trigger the use‑after‑free from a remote location as the proof‑of‑concept code is publicly posted in the project's GitHub repository. While the immediate threat level is moderate, the potential for serious compromise justifies taking remediation action promptly.

Generated by OpenCVE AI on April 18, 2026 at 19:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade quickjs to a version containing commit ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141 or newer, which includes the definitive fix for the use‑after‑free bug.
  • If an up‑to‑date release is not available, copy the patch changes into the source tree before building the library.
  • As a temporary mitigation, disable or restrict remote access to the Atomics Ops functionality until the patch can be applied.
  • Consider integrating runtime memory‑safety tools such as AddressSanitizer or hardened allocators to detect and help guard against future use‑after‑free incidents.

Generated by OpenCVE AI on April 18, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
References

Fri, 30 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:quickjs-ng:quickjs:*:*:*:*:*:*:*:*

Tue, 20 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Quickjs-ng
Quickjs-ng quickjs
Vendors & Products Quickjs-ng
Quickjs-ng quickjs

Mon, 19 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 19 Jan 2026 07:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue.
Title quickjs-ng quickjs Atomics Ops quickjs.c use after free
Weaknesses CWE-119
CWE-416
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Quickjs-ng Quickjs
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-25T16:46:28.328Z

Reserved: 2026-01-18T13:43:14.894Z

Link: CVE-2026-1144

cve-icon Vulnrichment

Updated: 2026-01-20T15:19:39.327Z

cve-icon NVD

Status : Modified

Published: 2026-01-19T08:16:04.857

Modified: 2026-02-23T09:16:46.017

Link: CVE-2026-1144

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-19T07:32:10Z

Links: CVE-2026-1144 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:15:10Z

Weaknesses