{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1145", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-01-18T13:43:22.716Z", "datePublished": "2026-01-19T08:02:08.519Z", "dateUpdated": "2026-02-25T16:45:03.206Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T08:43:56.557Z"}, "title": "quickjs-ng quickjs quickjs.c js_typed_array_constructor_ta heap-based overflow", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-122", "lang": "en", "description": "Heap-based Buffer Overflow"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-119", "lang": "en", "description": "Memory Corruption"}]}], "affected": [{"vendor": "quickjs-ng", "product": "quickjs", "versions": [{"version": "0.1", "status": "affected"}, {"version": "0.2", "status": "affected"}, {"version": "0.3", "status": "affected"}, {"version": "0.4", "status": "affected"}, {"version": "0.5", "status": "affected"}, {"version": "0.6", "status": "affected"}, {"version": "0.7", "status": "affected"}, {"version": "0.8", "status": "affected"}, {"version": "0.9", "status": "affected"}, {"version": "0.10", "status": "affected"}, {"version": "0.11.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in quickjs-ng quickjs up to 0.11.0. Affected by this vulnerability is the function js_typed_array_constructor_ta of the file quickjs.c. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 53aebe66170d545bb6265906fe4324e4477de8b4. It is suggested to install a patch to address this issue."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-01-18T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-01-18T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-01-31T02:47:43.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "mcsky23 (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.341738", "name": "VDB-341738 | quickjs-ng quickjs quickjs.c js_typed_array_constructor_ta heap-based overflow", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.341738", "name": "VDB-341738 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.735539", "name": "Submit #735539 | quickjs-ng quickjs v0.11.0 Heap-based Buffer Overflow", "tags": ["third-party-advisory"]}, {"url": "https://github.com/quickjs-ng/quickjs/issues/1305", "tags": ["issue-tracking"]}, {"url": "https://github.com/quickjs-ng/quickjs/pull/1306", "tags": ["issue-tracking"]}, {"url": "https://github.com/quickjs-ng/quickjs/issues/1305#issue-3785444372", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/paralin/quickjs/commit/53aebe66170d545bb6265906fe4324e4477de8b4", "tags": ["patch"]}, {"url": "https://github.com/quickjs-ng/quickjs/", "tags": ["product"]}], "tags": ["x_open-source"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T15:16:31.134309Z", "id": "CVE-2026-1145", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T16:45:03.206Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1145", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-01-18T13:43:22.716Z", "datePublished": "2026-01-19T08:02:08.519Z", "dateUpdated": "2026-02-25T16:45:03.206Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T08:43:56.557Z"}, "title": "quickjs-ng quickjs quickjs.c js_typed_array_constructor_ta heap-based overflow", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-122", "lang": "en", "description": "Heap-based Buffer Overflow"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-119", "lang": "en", "description": "Memory Corruption"}]}], "affected": [{"vendor": "quickjs-ng", "product": "quickjs", "versions": [{"version": "0.1", "status": "affected"}, {"version": "0.2", "status": "affected"}, {"version": "0.3", "status": "affected"}, {"version": "0.4", "status": "affected"}, {"version": "0.5", "status": "affected"}, {"version": "0.6", "status": "affected"}, {"version": "0.7", "status": "affected"}, {"version": "0.8", "status": "affected"}, {"version": "0.9", "status": "affected"}, {"version": "0.10", "status": "affected"}, {"version": "0.11.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in quickjs-ng quickjs up to 0.11.0. Affected by this vulnerability is the function js_typed_array_constructor_ta of the file quickjs.c. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 53aebe66170d545bb6265906fe4324e4477de8b4. It is suggested to install a patch to address this issue."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-01-18T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-01-18T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-01-31T02:47:43.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "mcsky23 (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.341738", "name": "VDB-341738 | quickjs-ng quickjs quickjs.c js_typed_array_constructor_ta heap-based overflow", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.341738", "name": "VDB-341738 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.735539", "name": "Submit #735539 | quickjs-ng quickjs v0.11.0 Heap-based Buffer Overflow", "tags": ["third-party-advisory"]}, {"url": "https://github.com/quickjs-ng/quickjs/issues/1305", "tags": ["issue-tracking"]}, {"url": "https://github.com/quickjs-ng/quickjs/pull/1306", "tags": ["issue-tracking"]}, {"url": "https://github.com/quickjs-ng/quickjs/issues/1305#issue-3785444372", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/paralin/quickjs/commit/53aebe66170d545bb6265906fe4324e4477de8b4", "tags": ["patch"]}, {"url": "https://github.com/quickjs-ng/quickjs/", "tags": ["product"]}], "tags": ["x_open-source"]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1145", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-20T15:16:31.134309Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T15:17:42.604Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:quickjs-ng:quickjs:*:*:*:*:*:*:*:*", "matchCriteriaId": "99E7BDDC-5F85-4D2D-A0FE-87E837B594D3", "versionEndIncluding": "0.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in quickjs-ng quickjs up to 0.11.0. Affected by this vulnerability is the function js_typed_array_constructor_ta of the file quickjs.c. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 53aebe66170d545bb6265906fe4324e4477de8b4. It is suggested to install a patch to address this issue."}, {"lang": "es", "value": "Se ha encontrado una falla en quickjs-ng quickjs hasta 0.11.0. Afectada por esta vulnerabilidad es la funci\u00f3n js_typed_array_constructor_ta del archivo quickjs.c. Esta manipulaci\u00f3n causa desbordamiento de b\u00fafer basado en mont\u00edculo. El ataque es posible de realizar de forma remota. El exploit ha sido publicado y puede ser utilizado. Nombre del parche: 53aebe66170d545bb6265906fe4324e4477de8b4. Se sugiere instalar un parche para abordar este problema."}], "id": "CVE-2026-1145", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-01-19T09:16:02.587", "references": [{"source": "cna@vuldb.com", "tags": ["Patch"], "url": "https://github.com/paralin/quickjs/commit/53aebe66170d545bb6265906fe4324e4477de8b4"}, {"source": "cna@vuldb.com", "url": "https://github.com/quickjs-ng/quickjs/"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/quickjs-ng/quickjs/issues/1305"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/quickjs-ng/quickjs/issues/1305#issue-3785444372"}, {"source": "cna@vuldb.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/quickjs-ng/quickjs/pull/1306"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.341738"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.341738"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.735539"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-122"}], "source": "cna@vuldb.com", "type": "Secondary"}]}

{"bugzilla": {"description": "quickjs-ng: quickjs-ng quickjs: Heap-based buffer overflow leading to information disclosure or denial of service", "id": "2430790", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430790"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "(CWE-119|CWE-122)", "details": ["A flaw was found in quickjs-ng quickjs. This vulnerability, a heap-based buffer overflow, exists in the `js_typed_array_constructor_ta` function. A remote attacker can exploit this by sending specially crafted input, which could lead to unauthorized information disclosure or system instability (denial of service)."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, avoid processing untrusted JavaScript content with applications that embed `quickjs-ng`, such as `radare2`. Restricting the execution of untrusted scripts can reduce the exposure to this vulnerability."}, "name": "CVE-2026-1145", "public_date": "2026-01-19T08:02:08Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-1145\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-1145\nhttps://github.com/paralin/quickjs/commit/53aebe66170d545bb6265906fe4324e4477de8b4\nhttps://github.com/quickjs-ng/quickjs/issues/1305\nhttps://github.com/quickjs-ng/quickjs/issues/1305#issue-3785444372\nhttps://github.com/quickjs-ng/quickjs/pull/1306\nhttps://vuldb.com/?ctiid.341738\nhttps://vuldb.com/?id.341738\nhttps://vuldb.com/?submit.735539"], "statement": "This vulnerability is rated Important for Red Hat products. A heap-based buffer overflow flaw in the `js_typed_array_constructor_ta` function of `quickjs-ng` can be exploited remotely. This issue affects components that embed `quickjs-ng`, such as `radare2` in Red Hat Community Projects, when processing untrusted JavaScript content.", "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-18T15:55:42.621203+00:00", "value": {"mitigation_remediation": ["Apply the official patch (commit 53aebe66170d545bb6265906fe4324e4477de8b4) to upgrade QuickJS to a fixed version or later.", "If a patch cannot be applied immediately, restrict or disable the creation of typed arrays from untrusted input or isolate the QuickJS engine from externally supplied code.", "Add defensive bounds checking or input validation around typed array construction in any application code that interacts with QuickJS, ensuring that the size and contents of the array are verified before use."], "summary": {"action": "Patch immediately", "impact": "Heap-based buffer overflow"}, "threat_synthesis": {"affected_systems": "The affected product is QuickJS, an ECMAScript engine developed by quickjs-ng. Versions up to 0.11.0 are vulnerable. The commit that introduces the fix is 53aebe66170d545bb6265906fe4324e4477de8b4. Systems that embed QuickJS or rely on its typed array handling should verify their installed version against this range.", "description_and_impact": "A heap-based buffer overflow was discovered in the function js_typed_array_constructor_ta within quickjs-ng quickjs up to version 0.11.0. The flaw causes a heap-based buffer overflow when the function is invoked with certain parameters. The CVE states that the attack can be carried out remotely. While the CVE does not explicitly state the resulting impact, such memory corruption could lead to process crashes or, potentially, arbitrary code execution. The possibility of arbitrary code execution is inferred from the nature of heap-based overflows but is not confirmed in the provided data.", "risk_and_exploitability": "The CVSS score is 5.3, placing the issue in the moderate severity range. The EPSS score is below 1%, indicating a low likelihood of mass exploitation, but the presence of a publicly published exploit and the fact that attack vectors are remote raise the practical risk. The vulnerability is not listed in CISA\u2019s KEV catalog, which suggests it is not widely exploited in the wild at this time. Based on the description, it is inferred that an attacker might trigger the overflow remotely by presenting malicious typed array input, making the exploitation path seemingly straightforward for applications that embed QuickJS."}}}}, "created": "2026-01-20T08:43:44.860388+00:00", "updated": "2026-04-18T16:00:04.290369+00:00", "vendors": ["quickjs-ng", "quickjs-ng$PRODUCT$quickjs"]}