CVE-2026-1144
Use-After-Free Vulnerability in QuickJS Atomics Ops Handler
Publication date: 2026-01-19
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| quickjs-ng | quickjs | to 0.11.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1144 is a heap use-after-free (UAF) vulnerability in the QuickJS JavaScript engine, specifically in atomic operations within the Atomics Ops Handler component. The issue occurs because the engine caches a pointer to a typed array's element storage before performing atomic operations. During the conversion of user-supplied values, arbitrary JavaScript code can execute side effects such as resizing the underlying ArrayBuffer. This resizing frees or moves the original buffer, invalidating the cached pointer. Subsequent atomic operations then use this stale pointer, causing a use-after-free condition that can lead to memory corruption or arbitrary code execution. The vulnerability affects functions like js_atomics_store and js_atomics_op and can be triggered remotely. A patch has been released that adds proper bounds checking and defers pointer calculation until after validation to prevent out-of-bounds access. [1, 2, 3, 5, 6, 7]
How can this vulnerability impact me? :
This vulnerability can lead to use-after-free memory corruption in the QuickJS engine, which may cause program crashes, unexpected behavior, or allow an attacker to execute arbitrary code remotely. Because the exploit is publicly available and easy to execute, attackers can leverage this flaw to compromise the confidentiality, integrity, and availability of systems using affected versions of QuickJS. This can result in unauthorized access, data manipulation, or denial of service. [2, 3, 5, 7]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by running test scripts that simulate the exploit scenario, such as those introduced in the fix (bug1301.js and bug1302.js), which test for malicious .valueOf methods that resize ArrayBuffers during atomic operations. Additionally, monitoring for AddressSanitizer (ASAN) reports indicating heap use-after-free errors in QuickJS atomic operations can help detect exploitation attempts. There are no specific network detection commands provided, but reviewing logs for crashes or unusual behavior in QuickJS processes and running the provided test scripts can help identify the vulnerability. [1, 4]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to apply the patch identified by commit ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141, which refactors atomic buffer access to include explicit bounds checking after any potential side effects like buffer resizing. This patch prevents out-of-bounds memory access and use-after-free conditions in atomic operations. Until the patch is applied, avoid running untrusted JavaScript code that uses atomic operations on resizable ArrayBuffers. Additionally, monitoring for updates from the QuickJS-NG project and applying them promptly is advised. [4]