Cyber Resilience

CVE-2026-1144

MediumPublic PoC

Published: 19 January 2026

Published
19 January 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0035 26.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-1144 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Quickjs-Ng Quickjs. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-1144 is a use-after-free vulnerability (CWE-416, also related to CWE-119) in an unknown function within the file quickjs.c, specifically in the Atomics Ops Handler component of quickjs-ng quickjs versions up to 0.11.0. This flaw affects the lightweight JavaScript engine quickjs-ng quickjs, which is commonly embedded in various applications for JavaScript execution.

The vulnerability can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), and has a CVSS v3.1 base score of 6.3 (C:L/I:L/A:L) with no scope change (S:U). Attackers can trigger the use-after-free condition, potentially leading to limited impacts on confidentiality, integrity, and availability. The exploit is public and may be used in attacks against affected deployments.

Mitigation is available via the patch commit ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141 in the quickjs-ng quickjs repository. Security practitioners should apply this patch promptly, as advised in the related GitHub issues (#1301, #1302) and pull request (#1303). Updating to a patched version of quickjs-ng quickjs resolves the issue.

EU & UK References

Vulnerability details

A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit…

more

is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2026-1144 is a remotely exploitable use-after-free vulnerability (AV:N/AC:L/PR:N/UI:R) in the QuickJS JavaScript engine, directly enabling exploitation of public-facing applications embedding this component.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0821Same product: Quickjs-Ng Quickjs
CVE-2026-1145Same product: Quickjs-Ng Quickjs
CVE-2024-13903Same product: Quickjs-Ng Quickjs
CVE-2026-0822Same product: Quickjs-Ng Quickjs
CVE-2026-3593Shared CWE-416
CVE-2025-33077Shared CWE-119
CVE-2026-0794Shared CWE-416
CVE-2025-24064Shared CWE-416
CVE-2026-45185Shared CWE-416
CVE-2025-14572Shared CWE-119

Affected Assets

quickjs-ng
quickjs
≤ 0.11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of identified software flaws like this use-after-free vulnerability in quickjs-ng quickjs by applying the available patch.

detect

Requires vulnerability scanning to identify deployments of vulnerable quickjs-ng quickjs versions affected by this CVE.

prevent

Implements memory protection mechanisms that mitigate use-after-free exploits by restricting unauthorized memory access in the Atomics Ops Handler.

References