CVE-2026-1144
Publication date 19 January 2026
Last updated 19 January 2026
Ubuntu priority
Description
A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| quickjs | 25.10 questing |
Needs evaluation
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.3 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | Low |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2026-1144
- https://github.com/quickjs-ng/quickjs/issues/1301
- https://github.com/quickjs-ng/quickjs/issues/1302
- https://github.com/quickjs-ng/quickjs/pull/1303
- https://github.com/quickjs-ng/quickjs/commit/ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141
- https://vuldb.com/?ctiid.341737
- https://vuldb.com/?id.341737
- https://vuldb.com/?submit.735537
- https://vuldb.com/?submit.735538