CVE-2026-0821: QuickJS-NG Buffer Overflow Vulnerability

CVE-2026-0821 Overview

A heap-based buffer overflow vulnerability has been identified in quickjs-ng QuickJS JavaScript engine affecting versions up to and including 0.11.0. This vulnerability exists within the js_typed_array_constructor function located in the quickjs.c source file. When a specially crafted input is processed, the vulnerability can be triggered, potentially leading to memory corruption.

Critical Impact
Remote attackers can exploit this heap-based buffer overflow vulnerability over the network without requiring authentication or user interaction, potentially leading to code execution or denial of service conditions.

Affected Products

quickjs-ng QuickJS versions up to 0.11.0
Applications embedding vulnerable QuickJS engine versions
Systems running unpatched QuickJS JavaScript runtime

Discovery Timeline

January 10, 2026 - CVE-2026-0821 published to NVD
January 13, 2026 - Last updated in NVD database

Technical Details for CVE-2026-0821

Vulnerability Analysis

This vulnerability is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), which encompasses heap-based buffer overflow conditions. The flaw resides in the js_typed_array_constructor function within quickjs.c, which handles the creation and initialization of typed array objects in the JavaScript engine.

When processing certain malformed or crafted inputs during typed array construction, the function fails to properly validate buffer boundaries. This allows an attacker to write data beyond the allocated heap buffer, corrupting adjacent memory structures. The vulnerability can be exploited remotely over the network, requiring no special privileges or user interaction.

Root Cause

The root cause of this vulnerability lies in insufficient bounds checking within the typed array constructor implementation. When allocating memory for typed arrays, the code does not properly validate that the requested size and subsequent operations remain within the bounds of the allocated buffer. This creates a condition where carefully crafted array construction parameters can cause heap memory to be written beyond its intended boundaries.

Attack Vector

The vulnerability can be exploited remotely via network-based attack vectors. An attacker can craft malicious JavaScript code that triggers the vulnerable code path in js_typed_array_constructor. When the QuickJS engine processes this crafted input, the heap-based buffer overflow is triggered. The exploit has been publicly disclosed, increasing the risk of exploitation in the wild. The attack requires no authentication and can be initiated without user interaction against applications embedding vulnerable QuickJS versions.

The vulnerability can be triggered by manipulating typed array constructor parameters to cause improper memory allocation handling. For detailed technical information about the exploitation mechanism, refer to the GitHub Issue #1296 which contains the public disclosure details.

Detection Methods for CVE-2026-0821

Indicators of Compromise

Unusual crashes or segmentation faults in applications using QuickJS engine
Memory corruption indicators in heap regions during JavaScript execution
Unexpected process termination when processing JavaScript typed array operations
Anomalous memory access patterns in QuickJS process address space

Detection Strategies

Monitor application logs for crashes related to js_typed_array_constructor function
Implement memory sanitizers (ASAN, MSAN) in development and testing environments to detect heap overflows
Use runtime application self-protection (RASP) solutions to detect memory corruption attempts
Deploy endpoint detection and response (EDR) solutions that can identify heap exploitation patterns

Monitoring Recommendations

Enable verbose logging for applications embedding QuickJS to capture JavaScript execution errors
Monitor system stability metrics for applications using QuickJS engine
Implement crash reporting and analysis to identify potential exploitation attempts
Review application behavior for unexpected memory consumption patterns during JavaScript processing

How to Mitigate CVE-2026-0821

Immediate Actions Required

Update quickjs-ng QuickJS to a version containing the security patch (commit c5d80831e51e48a83eab16ea867be87f091783c5)
Review all applications embedding QuickJS and prioritize patching based on exposure
Consider temporarily disabling or restricting JavaScript execution capabilities if patching is not immediately possible
Implement network-level controls to restrict access to affected services where possible

Patch Information

A security patch has been released to address this vulnerability. The fix is available in commit c5d80831e51e48a83eab16ea867be87f091783c5. Organizations should apply this patch immediately by updating to a QuickJS version that includes this commit. Additional details about the fix can be found in the GitHub Pull Request #1299 and the security patch commit.

Workarounds

Restrict network access to services running vulnerable QuickJS versions using firewall rules
Implement input validation on JavaScript code before processing with QuickJS engine
Run QuickJS in sandboxed environments with limited memory access permissions
Consider using alternative JavaScript engines temporarily until patching is complete

bash

# Update QuickJS to the patched version
git clone https://github.com/quickjs-ng/quickjs.git
cd quickjs
git checkout c5d80831e51e48a83eab16ea867be87f091783c5
make