CVE-2026-0821

Summary

A vulnerability was determined in quickjs-ng quickjs up to 0.11.0. This vulnerability affects the function js_typed_array_constructor of the file quickjs.c. Executing a manipulation can lead to heap-based buffer overflow. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This patch is called c5d80831e51e48a83eab16ea867be87f091783c5. A patch should be applied to remediate this issue.

Affected Software

VendorProductVersion RangeStatus
quickjs-ngquickjs0.1affected
quickjs-ngquickjs0.2affected
quickjs-ngquickjs0.3affected
quickjs-ngquickjs0.4affected
quickjs-ngquickjs0.5affected
quickjs-ngquickjs0.6affected
quickjs-ngquickjs0.7affected
quickjs-ngquickjs0.8affected
quickjs-ngquickjs0.9affected
quickjs-ngquickjs0.10affected
quickjs-ngquickjs0.11.0affected

Weaknesses

  • CWE-122: Heap-based Buffer Overflow
  • CWE-119: Memory Corruption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References