CVE-2026-0822
📋 TL;DR
A heap-based buffer overflow vulnerability in quickjs-ng's js_typed_array_sort function allows remote attackers to execute arbitrary code or cause denial of service. This affects all systems running quickjs-ng versions up to 0.11.0. The vulnerability is remotely exploitable and has public exploit code available.
💻 Affected Systems
- quickjs-ng quickjs
📦 What is this software?
Quickjs by Quickjs Ng
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or ransomware deployment
Likely Case
Application crash causing denial of service, potentially leading to data corruption
If Mitigated
Application crash contained within sandbox or isolated environment with minimal impact
🎯 Exploit Status
Exploit is publicly available in GitHub issues and requires minimal technical skill to weaponize
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after commit 53eefbcd695165a3bd8c584813b472cb4a69fbf5
Vendor Advisory: https://github.com/quickjs-ng/quickjs/commit/53eefbcd695165a3bd8c584813b472cb4a69fbf5
Restart Required: Yes
Instructions:
1. Update quickjs-ng to version after commit 53eefbcd695165a3bd8c584813b472cb4a69fbf5
2. Rebuild any applications using quickjs-ng
3. Restart affected services
🔧 Temporary Workarounds
Disable typed array sorting
allRemove or disable usage of typed array sort functionality in JavaScript code
Modify application code to avoid ArrayBuffer.prototype.sort() calls
Sandbox execution
linuxRun quickjs-ng in isolated container or sandbox with minimal privileges
docker run --read-only --cap-drop=ALL -u nobody quickjs-app
🧯 If You Can't Patch
- Implement network segmentation to isolate vulnerable systems
- Deploy application firewalls to monitor and block suspicious JavaScript execution patterns
🔍 How to Verify
Check if Vulnerable:
Check quickjs-ng version: if version <= 0.11.0, system is vulnerableCheck Version:
quickjs --version 2>/dev/null || grep -r "quickjs" /usr/include/quickjs/quickjs.h 2>/dev/null | grep VERSIONVerify Fix Applied:
Verify quickjs-ng includes commit 53eefbcd695165a3bd8c584813b472cb4a69fbf5 in git history📡 Detection & Monitoring
Log Indicators:
- Application crashes with segmentation faults
- Memory access violation errors in logs
- Unusual process termination of quickjs processes
Network Indicators:
- Unexpected network connections from quickjs processes
- Traffic patterns indicating exploit delivery
SIEM Query:
process.name:"quickjs" AND (event.action:"segmentation_fault" OR event.action:"memory_access_violation")🔗 References
- https://github.com/quickjs-ng/quickjs/
- https://github.com/quickjs-ng/quickjs/commit/53eefbcd695165a3bd8c584813b472cb4a69fbf5
- https://github.com/quickjs-ng/quickjs/issues/1297
- https://github.com/quickjs-ng/quickjs/issues/1297#issue-3780006202
- https://github.com/quickjs-ng/quickjs/pull/1298
- https://vuldb.com/?ctiid.340356
- https://vuldb.com/?id.340356
- https://vuldb.com/?submit.731783
