Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-1145

CVE-2026-1145: QuickJS-NG Buffer Overflow Vulnerability

CVE-2026-1145 is a heap-based buffer overflow flaw in QuickJS-NG up to version 0.11.0 that can be exploited remotely. This post covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2026-1145 Overview

A heap-based buffer overflow vulnerability has been identified in quickjs-ng QuickJS versions up to 0.11.0. The vulnerability exists in the js_typed_array_constructor_ta function within the quickjs.c file. This memory corruption flaw can be triggered remotely and may allow attackers to compromise the integrity, confidentiality, and availability of affected systems.

Critical Impact

Remote attackers can exploit this heap-based buffer overflow to potentially execute arbitrary code, cause denial of service, or corrupt memory in applications using the affected QuickJS JavaScript engine.

Affected Products

  • quickjs-ng QuickJS versions up to 0.11.0
  • Applications embedding the affected QuickJS library
  • Systems using QuickJS for JavaScript execution

Discovery Timeline

  • 2026-01-19 - CVE-2026-1145 published to NVD
  • 2026-01-19 - Last updated in NVD database

Technical Details for CVE-2026-1145

Vulnerability Analysis

This vulnerability is a heap-based buffer overflow (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer) that occurs during the construction of typed arrays in the QuickJS JavaScript engine. The flaw resides specifically in the js_typed_array_constructor_ta function in quickjs.c.

When processing typed array construction operations, the function fails to properly validate memory boundaries, allowing data to be written beyond the allocated heap buffer. This type of vulnerability can lead to memory corruption, potentially enabling attackers to overwrite critical data structures, redirect program execution flow, or cause the application to crash.

The vulnerability is remotely exploitable, meaning an attacker could craft malicious JavaScript code that, when processed by an application using the vulnerable QuickJS engine, triggers the buffer overflow condition.

Root Cause

The root cause stems from insufficient bounds checking in the typed array constructor function. When handling typed array operations, the js_typed_array_constructor_ta function does not adequately validate the size or boundaries of memory operations, allowing writes to exceed the allocated heap buffer space. This represents a classic memory safety issue common in C-based implementations where manual memory management is required.

Attack Vector

The attack can be carried out remotely through any vector that allows an attacker to supply JavaScript code to be executed by the vulnerable QuickJS engine. This includes:

  • Web applications using QuickJS for server-side JavaScript execution
  • Desktop applications embedding QuickJS for scripting capabilities
  • IoT devices or embedded systems using QuickJS as a lightweight JavaScript runtime

An attacker would craft a malicious typed array construction that triggers the overflow condition in the js_typed_array_constructor_ta function. The vulnerability has been publicly disclosed, and exploit information is available, increasing the risk of exploitation in the wild.

Technical details regarding the exploitation can be found in the GitHub Issue Discussion.

Detection Methods for CVE-2026-1145

Indicators of Compromise

  • Unexpected application crashes or segmentation faults in processes using QuickJS
  • Abnormal memory allocation patterns in QuickJS-based applications
  • JavaScript execution anomalies involving typed array operations
  • Core dumps or crash reports referencing js_typed_array_constructor_ta or quickjs.c

Detection Strategies

  • Deploy memory corruption detection tools such as AddressSanitizer (ASan) in development and testing environments
  • Monitor application logs for crashes related to QuickJS JavaScript execution
  • Implement runtime integrity checks for heap memory allocations
  • Use SentinelOne's behavioral AI to detect exploitation attempts targeting memory corruption vulnerabilities

Monitoring Recommendations

  • Enable detailed logging for JavaScript execution in affected applications
  • Set up crash monitoring and alerting for QuickJS-dependent services
  • Monitor for unusual typed array construction patterns in JavaScript inputs
  • Review application behavior after processing untrusted JavaScript code

How to Mitigate CVE-2026-1145

Immediate Actions Required

  • Update quickjs-ng QuickJS to a patched version containing commit 53aebe66170d545bb6265906fe4324e4477de8b4
  • Audit applications for dependencies on vulnerable QuickJS versions
  • Restrict execution of untrusted JavaScript code until patches are applied
  • Implement input validation for JavaScript code processed by QuickJS

Patch Information

A patch has been released to address this vulnerability. The fix is available in commit 53aebe66170d545bb6265906fe4324e4477de8b4. Organizations should apply this patch immediately to remediate the vulnerability.

Patch resources:

Workarounds

  • Disable or restrict typed array functionality if not required by the application
  • Implement sandboxing for JavaScript execution environments using QuickJS
  • Deploy Web Application Firewalls (WAF) to filter potentially malicious JavaScript payloads
  • Consider using alternative JavaScript engines for processing untrusted code until patching is complete
bash
# Update QuickJS to patched version
cd /path/to/quickjs
git fetch origin
git checkout 53aebe66170d545bb6265906fe4324e4477de8b4
make clean
make

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne