Login Sign Up

CVE-2026-1144

6.3 MEDIUM

📋 TL;DR

This CVE describes a use-after-free vulnerability in quickjs-ng's Atomics Ops Handler component that can be exploited remotely. Attackers could potentially execute arbitrary code or cause denial of service by manipulating freed memory. Any system running vulnerable versions of quickjs-ng is affected.

💻 Affected Systems

Products:
  • quickjs-ng
Versions: All versions up to 0.11.0
Operating Systems: All platforms running quickjs-ng
Default Config Vulnerable: ⚠️ Yes
Notes: Any application or service using quickjs-ng with Atomics operations enabled is vulnerable.

📦 What is this software?

Quickjs by Quickjs Ng

View all CVEs affecting Quickjs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Denial of service through application crashes or limited memory corruption leading to instability.

🟢

If Mitigated

Application crashes without privilege escalation if proper sandboxing and memory protections are in place.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication, making internet-facing systems particularly vulnerable.
🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but require network access; risk depends on internal segmentation.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

The exploit is public and may be used, but successful exploitation requires specific memory manipulation conditions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141

Vendor Advisory: https://github.com/quickjs-ng/quickjs/issues/1301

Restart Required: Yes

Instructions:

1. Update quickjs-ng to a version containing commit ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141
2. Rebuild any applications using quickjs-ng
3. Restart affected services

🔧 Temporary Workarounds

Disable Atomics Operations

all

Disable Atomics operations in quickjs-ng configuration if not required

Configure quickjs-ng with -DQUICKJS_DISABLE_ATOMICS=1 during build

Network Segmentation

all

Restrict network access to services using quickjs-ng

Use firewall rules to limit access to necessary IPs only

🧯 If You Can't Patch

  • Implement strict network segmentation and firewall rules to limit exposure
  • Deploy memory protection mechanisms like ASLR and DEP if available

🔍 How to Verify

Check if Vulnerable:

Check quickjs-ng version: if version ≤ 0.11.0, system is vulnerable

Check Version:

quickjs --version or check build configuration

Verify Fix Applied:

Verify quickjs-ng includes commit ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with memory access violations
  • Unexpected quickjs-ng process termination

Network Indicators:

  • Unusual network traffic to services using quickjs-ng
  • Suspicious payloads targeting Atomics operations

SIEM Query:

process_name:"quickjs" AND (event_type:"crash" OR memory_violation:"true")

📊 Metadata

CVE ID: CVE-2026-1144
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
CWE: CWE-119
Published: January 19, 2026
Last Updated: February 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1144, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)