Home

Description

A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue.

PUBLISHED Reserved 2026-01-18 | Published 2026-01-19 | Updated 2026-02-23 | Assigner VulDB




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
MEDIUM: 6.3CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
7.5AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C

Problem types

Use After Free

Memory Corruption

Product status

0.1
affected

0.2
affected

0.3
affected

0.4
affected

0.5
affected

0.6
affected

0.7
affected

0.8
affected

0.9
affected

0.10
affected

0.11.0
affected

Timeline

2026-01-18:Advisory disclosed
2026-01-18:VulDB entry created
2026-01-31:VulDB entry last update

Credits

mcsky23 (VulDB User) reporter

References

vuldb.com/?id.341737 (VDB-341737 | quickjs-ng quickjs Atomics Ops quickjs.c use after free) vdb-entry technical-description

vuldb.com/?ctiid.341737 (VDB-341737 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

vuldb.com/?submit.735537 (Submit #735537 | quickjs-ng quickjs v0.11.0 Use After Free) third-party-advisory

vuldb.com/?submit.735538 (Submit #735538 | quickjs-ng quickjs v0.11.0 Use After Free (Duplicate)) third-party-advisory

github.com/quickjs-ng/quickjs/issues/1301 issue-tracking

github.com/quickjs-ng/quickjs/pull/1303 issue-tracking

github.com/quickjs-ng/quickjs/issues/1302 exploit issue-tracking

github.com/...ommit/ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141 patch

github.com/quickjs-ng/quickjs/ product

cve.org (CVE-2026-1144)

nvd.nist.gov (CVE-2026-1144)

Download JSON