CVE-2026-0822

MEDIUM

quickjs-ng quickjs < 0.11.0 - Heap-Based Buffer Overflow in js_typed_array_sort

Title source: llm

Description

A vulnerability was identified in quickjs-ng quickjs up to 0.11.0. This issue affects the function js_typed_array_sort of the file quickjs.c. The manipulation leads to heap-based buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The identifier of the patch is 53eefbcd695165a3bd8c584813b472cb4a69fbf5. To fix this issue, it is recommended to deploy a patch.

References (8)

Core 8

Core References

Third Party Advisory, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.340356

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.340356

Third Party Advisory, VDB Entry third-party-advisory

https://vuldb.com/?submit.731783

Exploit, Issue Tracking, Vendor Advisory issue-tracking

https://github.com/quickjs-ng/quickjs/issues/1297

Issue Tracking issue-tracking

https://github.com/quickjs-ng/quickjs/pull/1298

Exploit, Issue Tracking, Vendor Advisory exploit issue-tracking

https://github.com/quickjs-ng/quickjs/issues/1297#issue-3780006202

Patch patch

https://github.com/quickjs-ng/quickjs/commit/53eefbcd695165a3bd8c584813b472cb4a69fbf5

View Patch ZIP pw:eip

Various Sources product

https://github.com/quickjs-ng/quickjs/

Scores

CVSS v3 6.3

EPSS 0.0041

EPSS Percentile 32.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-119 CWE-122 CWE-787

Status published

Products (1)

quickjs-ng/quickjs < 0.11.0

Published Jan 10, 2026

Tracked Since Feb 18, 2026