Cyber Resilience

CVE-2026-0822

MediumPublic PoC

Published: 10 January 2026

Published
10 January 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0041 32.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-0822 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Quickjs-Ng Quickjs. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 32.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-0822 is a heap-based buffer overflow vulnerability in the js_typed_array_sort function of the quickjs.c file in the quickjs-ng quickjs engine, affecting versions up to 0.11.0. The issue, associated with CWEs-119, CWE-122, and CWE-787, was published on 2026-01-10 and carries a CVSS v3.1 base score of 6.3.

Remote attackers can exploit this vulnerability with network access, low attack complexity, no privileges required, but user interaction is necessary (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L). By manipulating input to trigger the buffer overflow, attackers may achieve limited impacts on confidentiality, integrity, and availability. A public exploit is available and might be used.

Mitigation involves deploying the patch at commit 53eefbcd695165a3bd8c584813b472cb4a69fbf5, as recommended in the quickjs-ng repository. Related GitHub resources include the repository, the patch commit, issue #1297, a comment on that issue, and pull request #1298.

EU & UK References

Vulnerability details

A vulnerability was identified in quickjs-ng quickjs up to 0.11.0. This issue affects the function js_typed_array_sort of the file quickjs.c. The manipulation leads to heap-based buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and…

more

might be used. The identifier of the patch is 53eefbcd695165a3bd8c584813b472cb4a69fbf5. To fix this issue, it is recommended to deploy a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
Why these techniques?

Heap buffer overflow in JS engine enables client-side code execution via crafted input (T1203); remote delivery with UI:R supports drive-by attacks (T1189).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1145Same product: Quickjs-Ng Quickjs
CVE-2026-0821Same product: Quickjs-Ng Quickjs
CVE-2024-13903Same product: Quickjs-Ng Quickjs
CVE-2026-1144Same product: Quickjs-Ng Quickjs
CVE-2026-2314Shared CWE-122, CWE-787
CVE-2026-3544Shared CWE-122, CWE-787
CVE-2026-3931Shared CWE-122, CWE-787
CVE-2026-3913Shared CWE-122, CWE-787
CVE-2026-1861Shared CWE-122, CWE-787
CVE-2026-4673Shared CWE-122, CWE-787

Affected Assets

quickjs-ng
quickjs
≤ 0.11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patch (commit 53eefbcd) to eliminate the heap buffer overflow in js_typed_array_sort before exploitation.

prevent

Mandates memory-protection mechanisms that can block or contain the heap-based buffer overflow triggered by crafted typed-array input.

prevent

Requires validation of untrusted input to the sort routine, preventing the malformed data that leads to the overflow in quickjs.c.

References