CVE-2026-1145
Published: 19 January 2026
Summary
CVE-2026-1145 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Quickjs-Ng Quickjs. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 28.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates identification, reporting, and correction of flaws like the heap-based buffer overflow in QuickJS via timely patching.
Implements memory protection mechanisms such as ASLR and DEP that directly mitigate exploitation of heap buffer overflows even in unpatched systems.
Enables vulnerability scanning to identify deployments of vulnerable QuickJS versions up to 0.11.0 for subsequent remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap-based buffer overflow in embedded JavaScript engine (QuickJS) exploitable remotely with user interaction (malicious link or crafted input), directly facilitating Exploitation for Client Execution (T1203) via memory corruption, though limited impacts (no full RCE per description).
NVD Description
A flaw has been found in quickjs-ng quickjs up to 0.11.0. Affected by this vulnerability is the function js_typed_array_constructor_ta of the file quickjs.c. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit…
more
has been published and may be used. Patch name: 53aebe66170d545bb6265906fe4324e4477de8b4. It is suggested to install a patch to address this issue.
Deeper analysisAI
CVE-2026-1145 is a heap-based buffer overflow vulnerability in the js_typed_array_constructor_ta function within the quickjs.c file of quickjs-ng/quickjs versions up to 0.11.0. This flaw allows improper memory handling during typed array construction, potentially leading to memory corruption. The vulnerability was published on 2026-01-19 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L), mapped to CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-122 (Heap-based Buffer Overflow).
The vulnerability can be exploited remotely by an unauthenticated attacker over the network with low complexity, requiring user interaction such as clicking a malicious link or processing crafted input in an application embedding QuickJS. Successful exploitation enables limited impacts, including partial disclosure of sensitive information, minor modification of data, or denial of service through application crashes, but does not allow full code execution or privilege escalation due to the scoped and low-impact scoring.
Mitigation is available via the patch commit 53aebe66170d545bb6265906fe4324e4477de8b4 in the quickjs-ng/quickjs repository. Security practitioners should update to a patched version of QuickJS, as advised in the associated GitHub issue #1305 and pull request #1306, to prevent exploitation.
An exploit for this vulnerability has been publicly disclosed, increasing the risk for unpatched deployments of QuickJS in embedded JavaScript engines.
Details
- CWE(s)