CVE-2026-1145

CVE-2026-1145 is a heap-based buffer overflow vulnerability in the js_typed_array_constructor_ta function within the quickjs.c file of quickjs-ng/quickjs versions up to 0.11.0. This flaw allows improper memory handling during typed array construction, potentially leading to memory corruption. The vulnerability was published on 2026-01-19 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L), mapped to CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-122 (Heap-based Buffer Overflow).

The vulnerability can be exploited remotely by an unauthenticated attacker over the network with low complexity, requiring user interaction such as clicking a malicious link or processing crafted input in an application embedding QuickJS. Successful exploitation enables limited impacts, including partial disclosure of sensitive information, minor modification of data, or denial of service through application crashes, but does not allow full code execution or privilege escalation due to the scoped and low-impact scoring.

Mitigation is available via the patch commit 53aebe66170d545bb6265906fe4324e4477de8b4 in the quickjs-ng/quickjs repository. Security practitioners should update to a patched version of QuickJS, as advised in the associated GitHub issue #1305 and pull request #1306, to prevent exploitation.

An exploit for this vulnerability has been publicly disclosed, increasing the risk for unpatched deployments of QuickJS in embedded JavaScript engines.