CVE-2026-1144

MediumPublic PoC

Published: 19 January 2026

Published

19 January 2026

Modified

23 February 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

EPSS Score 0.0016 36.3th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1144 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Quickjs-Ng Quickjs. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely remediation of identified software flaws like this use-after-free vulnerability in quickjs-ng quickjs by applying the available patch.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Requires vulnerability scanning to identify deployments of vulnerable quickjs-ng quickjs versions affected by this CVE.

SI-16 Memory Protection partial match

prevent

Implements memory protection mechanisms that mitigate use-after-free exploits by restricting unauthorized memory access in the Atomics Ops Handler.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-1144 is a remotely exploitable use-after-free vulnerability (AV:N/AC:L/PR:N/UI:R) in the QuickJS JavaScript engine, directly enabling exploitation of public-facing applications embedding this component.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit…

is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue.

Deeper analysisAI

CVE-2026-1144 is a use-after-free vulnerability (CWE-416, also related to CWE-119) in an unknown function within the file quickjs.c, specifically in the Atomics Ops Handler component of quickjs-ng quickjs versions up to 0.11.0. This flaw affects the lightweight JavaScript engine quickjs-ng quickjs, which is commonly embedded in various applications for JavaScript execution.

The vulnerability can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), and has a CVSS v3.1 base score of 6.3 (C:L/I:L/A:L) with no scope change (S:U). Attackers can trigger the use-after-free condition, potentially leading to limited impacts on confidentiality, integrity, and availability. The exploit is public and may be used in attacks against affected deployments.

Mitigation is available via the patch commit ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141 in the quickjs-ng quickjs repository. Security practitioners should apply this patch promptly, as advised in the related GitHub issues (#1301, #1302) and pull request (#1303). Updating to a patched version of quickjs-ng quickjs resolves the issue.