Description
A flaw has been found in quickjs-ng quickjs up to 0.11.0. Affected by this vulnerability is the function js_typed_array_constructor_ta of the file quickjs.c. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 53aebe66170d545bb6265906fe4324e4477de8b4. It is suggested to install a patch to address this issue.
Published: 2026-01-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Heap-based buffer overflow
Action: Patch immediately
AI Analysis

Impact

A heap-based buffer overflow was discovered in the function js_typed_array_constructor_ta within quickjs-ng quickjs up to version 0.11.0. The flaw causes a heap-based buffer overflow when the function is invoked with certain parameters. The CVE states that the attack can be carried out remotely. While the CVE does not explicitly state the resulting impact, such memory corruption could lead to process crashes or, potentially, arbitrary code execution. The possibility of arbitrary code execution is inferred from the nature of heap-based overflows but is not confirmed in the provided data.

Affected Systems

The affected product is QuickJS, an ECMAScript engine developed by quickjs-ng. Versions up to 0.11.0 are vulnerable. The commit that introduces the fix is 53aebe66170d545bb6265906fe4324e4477de8b4. Systems that embed QuickJS or rely on its typed array handling should verify their installed version against this range.

Risk and Exploitability

The CVSS score is 5.3, placing the issue in the moderate severity range. The EPSS score is below 1%, indicating a low likelihood of mass exploitation, but the presence of a publicly published exploit and the fact that attack vectors are remote raise the practical risk. The vulnerability is not listed in CISA’s KEV catalog, which suggests it is not widely exploited in the wild at this time. Based on the description, it is inferred that an attacker might trigger the overflow remotely by presenting malicious typed array input, making the exploitation path seemingly straightforward for applications that embed QuickJS.

Generated by OpenCVE AI on April 18, 2026 at 15:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch (commit 53aebe66170d545bb6265906fe4324e4477de8b4) to upgrade QuickJS to a fixed version or later.
  • If a patch cannot be applied immediately, restrict or disable the creation of typed arrays from untrusted input or isolate the QuickJS engine from externally supplied code.
  • Add defensive bounds checking or input validation around typed array construction in any application code that interacts with QuickJS, ensuring that the size and contents of the array are verified before use.

Generated by OpenCVE AI on April 18, 2026 at 15:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
References

Fri, 30 Jan 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:quickjs-ng:quickjs:*:*:*:*:*:*:*:*

Tue, 20 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Quickjs-ng
Quickjs-ng quickjs
Vendors & Products Quickjs-ng
Quickjs-ng quickjs

Mon, 19 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 19 Jan 2026 08:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in quickjs-ng quickjs up to 0.11.0. Affected by this vulnerability is the function js_typed_array_constructor_ta of the file quickjs.c. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 53aebe66170d545bb6265906fe4324e4477de8b4. It is suggested to install a patch to address this issue.
Title quickjs-ng quickjs quickjs.c js_typed_array_constructor_ta heap-based overflow
Weaknesses CWE-119
CWE-122
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Quickjs-ng Quickjs
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-25T16:45:03.206Z

Reserved: 2026-01-18T13:43:22.716Z

Link: CVE-2026-1145

cve-icon Vulnrichment

Updated: 2026-01-20T15:17:42.604Z

cve-icon NVD

Status : Modified

Published: 2026-01-19T09:16:02.587

Modified: 2026-02-23T09:16:46.220

Link: CVE-2026-1145

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-19T08:02:08Z

Links: CVE-2026-1145 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:00:04Z

Weaknesses