CVE-2026-1145

Summary

A flaw has been found in quickjs-ng quickjs up to 0.11.0. Affected by this vulnerability is the function js_typed_array_constructor_ta of the file quickjs.c. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 53aebe66170d545bb6265906fe4324e4477de8b4. It is suggested to install a patch to address this issue.

Affected Software

VendorProductVersion RangeStatus
quickjs-ngquickjs0.1affected
quickjs-ngquickjs0.2affected
quickjs-ngquickjs0.3affected
quickjs-ngquickjs0.4affected
quickjs-ngquickjs0.5affected
quickjs-ngquickjs0.6affected
quickjs-ngquickjs0.7affected
quickjs-ngquickjs0.8affected
quickjs-ngquickjs0.9affected
quickjs-ngquickjs0.10affected
quickjs-ngquickjs0.11.0affected

Weaknesses

  • CWE-122: Heap-based Buffer Overflow
  • CWE-119: Memory Corruption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References