CVE-2026-1144
Unknown Unknown - Not Provided
Use-After-Free Vulnerability in QuickJS Atomics Ops Handler

Publication date: 2026-01-19

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-19
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1144
EUVD
EUVD-2026-3238
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
quickjs-ng quickjs to 0.11.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1144 is a heap use-after-free (UAF) vulnerability in the QuickJS JavaScript engine, specifically in atomic operations within the Atomics Ops Handler component. The issue occurs because the engine caches a pointer to a typed array's element storage before performing atomic operations. During the conversion of user-supplied values, arbitrary JavaScript code can execute side effects such as resizing the underlying ArrayBuffer. This resizing frees or moves the original buffer, invalidating the cached pointer. Subsequent atomic operations then use this stale pointer, causing a use-after-free condition that can lead to memory corruption or arbitrary code execution. The vulnerability affects functions like js_atomics_store and js_atomics_op and can be triggered remotely. A patch has been released that adds proper bounds checking and defers pointer calculation until after validation to prevent out-of-bounds access. [1, 2, 3, 5, 6, 7]

Impact Analysis

This vulnerability can lead to use-after-free memory corruption in the QuickJS engine, which may cause program crashes, unexpected behavior, or allow an attacker to execute arbitrary code remotely. Because the exploit is publicly available and easy to execute, attackers can leverage this flaw to compromise the confidentiality, integrity, and availability of systems using affected versions of QuickJS. This can result in unauthorized access, data manipulation, or denial of service. [2, 3, 5, 7]

Detection Guidance

This vulnerability can be detected by running test scripts that simulate the exploit scenario, such as those introduced in the fix (bug1301.js and bug1302.js), which test for malicious .valueOf methods that resize ArrayBuffers during atomic operations. Additionally, monitoring for AddressSanitizer (ASAN) reports indicating heap use-after-free errors in QuickJS atomic operations can help detect exploitation attempts. There are no specific network detection commands provided, but reviewing logs for crashes or unusual behavior in QuickJS processes and running the provided test scripts can help identify the vulnerability. [1, 4]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to apply the patch identified by commit ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141, which refactors atomic buffer access to include explicit bounds checking after any potential side effects like buffer resizing. This patch prevents out-of-bounds memory access and use-after-free conditions in atomic operations. Until the patch is applied, avoid running untrusted JavaScript code that uses atomic operations on resizable ArrayBuffers. Additionally, monitoring for updates from the QuickJS-NG project and applying them promptly is advised. [4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1144. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart