CVE-2026-1145 Overview
A heap-based buffer overflow vulnerability has been identified in quickjs-ng QuickJS versions up to 0.11.0. The vulnerability exists in the js_typed_array_constructor_ta function within the quickjs.c file. This memory corruption flaw can be triggered remotely and may allow attackers to compromise the integrity, confidentiality, and availability of affected systems.
Critical Impact
Remote attackers can exploit this heap-based buffer overflow to potentially execute arbitrary code, cause denial of service, or corrupt memory in applications using the affected QuickJS JavaScript engine.
Affected Products
- quickjs-ng QuickJS versions up to 0.11.0
- Applications embedding the affected QuickJS library
- Systems using QuickJS for JavaScript execution
Discovery Timeline
- 2026-01-19 - CVE-2026-1145 published to NVD
- 2026-01-19 - Last updated in NVD database
Technical Details for CVE-2026-1145
Vulnerability Analysis
This vulnerability is a heap-based buffer overflow (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer) that occurs during the construction of typed arrays in the QuickJS JavaScript engine. The flaw resides specifically in the js_typed_array_constructor_ta function in quickjs.c.
When processing typed array construction operations, the function fails to properly validate memory boundaries, allowing data to be written beyond the allocated heap buffer. This type of vulnerability can lead to memory corruption, potentially enabling attackers to overwrite critical data structures, redirect program execution flow, or cause the application to crash.
The vulnerability is remotely exploitable, meaning an attacker could craft malicious JavaScript code that, when processed by an application using the vulnerable QuickJS engine, triggers the buffer overflow condition.
Root Cause
The root cause stems from insufficient bounds checking in the typed array constructor function. When handling typed array operations, the js_typed_array_constructor_ta function does not adequately validate the size or boundaries of memory operations, allowing writes to exceed the allocated heap buffer space. This represents a classic memory safety issue common in C-based implementations where manual memory management is required.
Attack Vector
The attack can be carried out remotely through any vector that allows an attacker to supply JavaScript code to be executed by the vulnerable QuickJS engine. This includes:
- Web applications using QuickJS for server-side JavaScript execution
- Desktop applications embedding QuickJS for scripting capabilities
- IoT devices or embedded systems using QuickJS as a lightweight JavaScript runtime
An attacker would craft a malicious typed array construction that triggers the overflow condition in the js_typed_array_constructor_ta function. The vulnerability has been publicly disclosed, and exploit information is available, increasing the risk of exploitation in the wild.
Technical details regarding the exploitation can be found in the GitHub Issue Discussion.
Detection Methods for CVE-2026-1145
Indicators of Compromise
- Unexpected application crashes or segmentation faults in processes using QuickJS
- Abnormal memory allocation patterns in QuickJS-based applications
- JavaScript execution anomalies involving typed array operations
- Core dumps or crash reports referencing js_typed_array_constructor_ta or quickjs.c
Detection Strategies
- Deploy memory corruption detection tools such as AddressSanitizer (ASan) in development and testing environments
- Monitor application logs for crashes related to QuickJS JavaScript execution
- Implement runtime integrity checks for heap memory allocations
- Use SentinelOne's behavioral AI to detect exploitation attempts targeting memory corruption vulnerabilities
Monitoring Recommendations
- Enable detailed logging for JavaScript execution in affected applications
- Set up crash monitoring and alerting for QuickJS-dependent services
- Monitor for unusual typed array construction patterns in JavaScript inputs
- Review application behavior after processing untrusted JavaScript code
How to Mitigate CVE-2026-1145
Immediate Actions Required
- Update quickjs-ng QuickJS to a patched version containing commit 53aebe66170d545bb6265906fe4324e4477de8b4
- Audit applications for dependencies on vulnerable QuickJS versions
- Restrict execution of untrusted JavaScript code until patches are applied
- Implement input validation for JavaScript code processed by QuickJS
Patch Information
A patch has been released to address this vulnerability. The fix is available in commit 53aebe66170d545bb6265906fe4324e4477de8b4. Organizations should apply this patch immediately to remediate the vulnerability.
Patch resources:
Workarounds
- Disable or restrict typed array functionality if not required by the application
- Implement sandboxing for JavaScript execution environments using QuickJS
- Deploy Web Application Firewalls (WAF) to filter potentially malicious JavaScript payloads
- Consider using alternative JavaScript engines for processing untrusted code until patching is complete
# Update QuickJS to patched version
cd /path/to/quickjs
git fetch origin
git checkout 53aebe66170d545bb6265906fe4324e4477de8b4
make clean
make
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
