CVE-2026-1144

MediumPublic PoC

Published: 19 January 2026

Published

19 January 2026

Modified

23 February 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

EPSS Score 0.0016 36.3th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit…

is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely remediation of identified software flaws like this use-after-free vulnerability in quickjs-ng quickjs by applying the available patch.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Requires vulnerability scanning to identify deployments of vulnerable quickjs-ng quickjs versions affected by this CVE.

SI-16 Memory Protection partial match

prevent

Implements memory protection mechanisms that mitigate use-after-free exploits by restricting unauthorized memory access in the Atomics Ops Handler.

Security SummaryAI

CVE-2026-1144 is a use-after-free vulnerability (CWE-416, also related to CWE-119) in an unknown function within the file quickjs.c, specifically in the Atomics Ops Handler component of quickjs-ng quickjs versions up to 0.11.0. This flaw affects the lightweight JavaScript engine quickjs-ng quickjs, which is commonly embedded in various applications for JavaScript execution.

The vulnerability can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), and has a CVSS v3.1 base score of 6.3 (C:L/I:L/A:L) with no scope change (S:U). Attackers can trigger the use-after-free condition, potentially leading to limited impacts on confidentiality, integrity, and availability. The exploit is public and may be used in attacks against affected deployments.

Mitigation is available via the patch commit ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141 in the quickjs-ng quickjs repository. Security practitioners should apply this patch promptly, as advised in the related GitHub issues (#1301, #1302) and pull request (#1303). Updating to a patched version of quickjs-ng quickjs resolves the issue.

Details

CWE(s): CWE-119 CWE-416

Affected Products

quickjs-ng

quickjs

≤ 0.11.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-1144 is a remotely exploitable use-after-free vulnerability (AV:N/AC:L/PR:N/UI:R) in the QuickJS JavaScript engine, directly enabling exploitation of public-facing applications embedding this component.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/quickjs-ng/quickjs/
cna@vuldb.com
https://github.com/quickjs-ng/quickjs/commit/ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141
Patch · cna@vuldb.com
https://github.com/quickjs-ng/quickjs/issues/1301
Exploit, Issue Tracking · cna@vuldb.com
https://github.com/quickjs-ng/quickjs/issues/1302
Exploit, Issue Tracking · cna@vuldb.com
https://github.com/quickjs-ng/quickjs/pull/1303
Issue Tracking, Patch · cna@vuldb.com
https://vuldb.com/?ctiid.341737
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.341737
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.735537
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.735538
Third Party Advisory, VDB Entry · cna@vuldb.com