CVE-2026-1144: QuickJS-NG Use After Free Vulnerability

CVE-2026-1144 Overview

A use after free vulnerability has been identified in quickjs-ng QuickJS versions up to and including 0.11.0. The vulnerability affects the Atomics Ops Handler component within the quickjs.c file. This memory corruption issue can be exploited remotely when a user interacts with specially crafted content, potentially allowing an attacker to execute arbitrary code or cause unexpected application behavior.

Critical Impact

Remote exploitation is possible through maliciously crafted JavaScript input that triggers the use after free condition in the Atomics operations handler, potentially leading to code execution or application crashes.

Affected Products

• quickjs-ng QuickJS versions up to 0.11.0
• Applications embedding vulnerable QuickJS versions
• Systems running QuickJS-based JavaScript engines

Discovery Timeline

• 2026-01-19 - CVE CVE-2026-1144 published to NVD
• 2026-01-19 - Last updated in NVD database

Technical Details for CVE-2026-1144

Vulnerability Analysis

This use after free vulnerability occurs within the Atomics Ops Handler in quickjs.c. Use after free vulnerabilities arise when a program continues to reference memory after it has been freed, leading to potential memory corruption. In this case, the vulnerability is triggered during atomic operations processing, where improper memory management allows freed memory to be accessed.

The vulnerability is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), indicating that the root issue involves memory boundary violations during atomic operations. An attacker with network access can exploit this vulnerability remotely, though user interaction is required for successful exploitation.

Root Cause

The root cause lies in the improper handling of memory lifecycle within the Atomics operations implementation in QuickJS. When processing certain atomic operations, the JavaScript engine fails to properly track object references, leading to a scenario where memory that has been deallocated is subsequently accessed. This type of vulnerability typically occurs when:

• Object references are not properly maintained during asynchronous operations
• Memory is freed prematurely while still being referenced by the Atomics handler
• Race conditions in the memory management logic allow access to stale pointers

Attack Vector

The attack vector for CVE-2026-1144 is network-based with low attack complexity. An attacker can exploit this vulnerability by:

1. Crafting malicious JavaScript code that triggers specific Atomics operations
2. Causing the QuickJS engine to process the crafted input
3. Triggering the use after free condition through carefully timed memory operations
4. Potentially achieving code execution or causing denial of service through memory corruption

The exploit has been publicly disclosed, and the attack requires user interaction such as opening a malicious web page or processing untrusted JavaScript code through an application using the vulnerable QuickJS engine.

The vulnerability manifests in the atomic operations processing within quickjs.c. Technical details and proof-of-concept information can be found in the GitHub Issue Discussion and related GitHub Issue #1302. The security fix addressing this vulnerability is documented in the GitHub Pull Request.

Detection Methods for CVE-2026-1144

Indicators of Compromise

• Unexpected crashes in applications using QuickJS with stack traces referencing atomic operations in quickjs.c
• Memory access violations or segmentation faults during JavaScript execution
• Anomalous behavior when processing untrusted JavaScript input containing Atomics operations

Detection Strategies

• Monitor application logs for crashes or errors related to QuickJS atomic operations
• Implement runtime memory safety checks using tools like AddressSanitizer (ASan) to detect use after free conditions
• Deploy endpoint detection solutions capable of identifying memory corruption exploitation attempts
• Review JavaScript inputs for suspicious patterns involving SharedArrayBuffer and Atomics operations

Monitoring Recommendations

• Enable detailed logging for applications embedding QuickJS to capture crash diagnostics
• Implement application-level monitoring for unexpected terminations or memory-related errors
• Use SentinelOne's behavioral AI to detect exploitation attempts targeting memory corruption vulnerabilities
• Set up alerts for process crashes with memory access violation indicators

How to Mitigate CVE-2026-1144

Immediate Actions Required

• Update quickjs-ng QuickJS to a version that includes the security patch (commit ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141)
• Audit applications that embed QuickJS to identify vulnerable deployments
• Restrict processing of untrusted JavaScript input until patches are applied
• Implement input validation and sandboxing for JavaScript execution environments

Patch Information

The vulnerability has been addressed in commit ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Organizations using quickjs-ng QuickJS should apply this patch immediately. The fix can be obtained from the GitHub Commit. For tracking and additional details, refer to VulDB #341737.

Workarounds

• Disable or restrict Atomics operations in QuickJS configurations if the feature is not required
• Implement strict content security policies to prevent execution of untrusted JavaScript
• Deploy web application firewalls to filter potentially malicious JavaScript payloads
• Isolate QuickJS execution in sandboxed environments with restricted memory access

# Verify QuickJS version and apply patch
git clone https://github.com/quickjs-ng/quickjs.git
cd quickjs
git log --oneline | grep ea3e9d77
# If patch not present, cherry-pick the fix
git cherry-pick ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141
make clean && make