CVE-2026-0822
Published: 10 January 2026
Summary
CVE-2026-0822 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Quickjs-Ng Quickjs. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 32.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-0822 is a heap-based buffer overflow vulnerability in the js_typed_array_sort function of the quickjs.c file in the quickjs-ng quickjs engine, affecting versions up to 0.11.0. The issue, associated with CWEs-119, CWE-122, and CWE-787, was published on 2026-01-10 and carries a CVSS v3.1 base score of 6.3.
Remote attackers can exploit this vulnerability with network access, low attack complexity, no privileges required, but user interaction is necessary (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L). By manipulating input to trigger the buffer overflow, attackers may achieve limited impacts on confidentiality, integrity, and availability. A public exploit is available and might be used.
Mitigation involves deploying the patch at commit 53eefbcd695165a3bd8c584813b472cb4a69fbf5, as recommended in the quickjs-ng repository. Related GitHub resources include the repository, the patch commit, issue #1297, a comment on that issue, and pull request #1298.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1846
Vulnerability details
A vulnerability was identified in quickjs-ng quickjs up to 0.11.0. This issue affects the function js_typed_array_sort of the file quickjs.c. The manipulation leads to heap-based buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and…
more
might be used. The identifier of the patch is 53eefbcd695165a3bd8c584813b472cb4a69fbf5. To fix this issue, it is recommended to deploy a patch.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in JS engine enables client-side code execution via crafted input (T1203); remote delivery with UI:R supports drive-by attacks (T1189).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patch (commit 53eefbcd) to eliminate the heap buffer overflow in js_typed_array_sort before exploitation.
Mandates memory-protection mechanisms that can block or contain the heap-based buffer overflow triggered by crafted typed-array input.
Requires validation of untrusted input to the sort routine, preventing the malformed data that leads to the overflow in quickjs.c.