CVE-2026-0822
Published: 10 January 2026
Summary
CVE-2026-0822 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Quickjs-Ng Quickjs. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 19.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Memory protections (e.g., W^X, ASLR) make exploitation of buffer-boundary violations far harder to turn into code execution.
Ongoing control assessments and code testing (static/dynamic analysis, fuzzing) surface memory buffer restriction failures, which are then remediated before release.
Managed runtimes used by platform-independent applications (e.g., JVM, CLR) enforce memory safety, preventing most buffer overflows that require direct memory manipulation.
Detects exploitation attempts that produce memory corruption, crashes, or anomalous behavior.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in JS engine enables client-side code execution via crafted input (T1203); remote delivery with UI:R supports drive-by attacks (T1189).
NVD Description
A vulnerability was identified in quickjs-ng quickjs up to 0.11.0. This issue affects the function js_typed_array_sort of the file quickjs.c. The manipulation leads to heap-based buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and…
more
might be used. The identifier of the patch is 53eefbcd695165a3bd8c584813b472cb4a69fbf5. To fix this issue, it is recommended to deploy a patch.
Deeper analysisAI
CVE-2026-0822 is a heap-based buffer overflow vulnerability in the js_typed_array_sort function of the quickjs.c file in the quickjs-ng quickjs engine, affecting versions up to 0.11.0. The issue, associated with CWEs-119, CWE-122, and CWE-787, was published on 2026-01-10 and carries a CVSS v3.1 base score of 6.3.
Remote attackers can exploit this vulnerability with network access, low attack complexity, no privileges required, but user interaction is necessary (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L). By manipulating input to trigger the buffer overflow, attackers may achieve limited impacts on confidentiality, integrity, and availability. A public exploit is available and might be used.
Mitigation involves deploying the patch at commit 53eefbcd695165a3bd8c584813b472cb4a69fbf5, as recommended in the quickjs-ng repository. Related GitHub resources include the repository, the patch commit, issue #1297, a comment on that issue, and pull request #1298.
Details
- CWE(s)