{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1144", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-01-18T13:43:14.894Z", "datePublished": "2026-01-19T07:32:10.363Z", "dateUpdated": "2026-01-20T15:19:44.176Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-01-19T07:32:10.363Z"}, "title": "quickjs-ng quickjs Atomics Ops quickjs.c use after free", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-416", "lang": "en", "description": "Use After Free"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-119", "lang": "en", "description": "Memory Corruption"}]}], "affected": [{"vendor": "quickjs-ng", "product": "quickjs", "versions": [{"version": "0.1", "status": "affected"}, {"version": "0.2", "status": "affected"}, {"version": "0.3", "status": "affected"}, {"version": "0.4", "status": "affected"}, {"version": "0.5", "status": "affected"}, {"version": "0.6", "status": "affected"}, {"version": "0.7", "status": "affected"}, {"version": "0.8", "status": "affected"}, {"version": "0.9", "status": "affected"}, {"version": "0.10", "status": "affected"}, {"version": "0.11.0", "status": "affected"}], "modules": ["Atomics Ops Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-01-18T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-01-18T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-01-18T14:49:06.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "mcsky23 (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.341737", "name": "VDB-341737 | quickjs-ng quickjs Atomics Ops quickjs.c use after free", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.341737", "name": "VDB-341737 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.735537", "name": "Submit #735537 | quickjs-ng quickjs v0.11.0 Use After Free", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/?submit.735538", "name": "Submit #735538 | quickjs-ng quickjs v0.11.0 Use After Free (Duplicate)", "tags": ["third-party-advisory"]}, {"url": "https://github.com/quickjs-ng/quickjs/issues/1301", "tags": ["issue-tracking"]}, {"url": "https://github.com/quickjs-ng/quickjs/pull/1303", "tags": ["issue-tracking"]}, {"url": "https://github.com/quickjs-ng/quickjs/issues/1302", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/quickjs-ng/quickjs/commit/ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141", "tags": ["patch"]}], "tags": ["x_open-source"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T15:19:25.855037Z", "id": "CVE-2026-1144", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T15:19:44.176Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1144", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-20T15:19:25.855037Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T15:19:39.327Z"}}], "cna": {"tags": ["x_open-source"], "title": "quickjs-ng quickjs Atomics Ops quickjs.c use after free", "credits": [{"lang": "en", "type": "reporter", "value": "mcsky23 (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "affected": [{"vendor": "quickjs-ng", "modules": ["Atomics Ops Handler"], "product": "quickjs", "versions": [{"status": "affected", "version": "0.1"}, {"status": "affected", "version": "0.2"}, {"status": "affected", "version": "0.3"}, {"status": "affected", "version": "0.4"}, {"status": "affected", "version": "0.5"}, {"status": "affected", "version": "0.6"}, {"status": "affected", "version": "0.7"}, {"status": "affected", "version": "0.8"}, {"status": "affected", "version": "0.9"}, {"status": "affected", "version": "0.10"}, {"status": "affected", "version": "0.11.0"}]}], "timeline": [{"lang": "en", "time": "2026-01-18T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-01-18T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-01-18T14:49:06.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.341737", "name": "VDB-341737 | quickjs-ng quickjs Atomics Ops quickjs.c use after free", "tags": ["vdb-entry"]}, {"url": "https://vuldb.com/?ctiid.341737", "name": "VDB-341737 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.735537", "name": "Submit #735537 | quickjs-ng quickjs v0.11.0 Use After Free", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/?submit.735538", "name": "Submit #735538 | quickjs-ng quickjs v0.11.0 Use After Free (Duplicate)", "tags": ["third-party-advisory"]}, {"url": "https://github.com/quickjs-ng/quickjs/issues/1301", "tags": ["issue-tracking"]}, {"url": "https://github.com/quickjs-ng/quickjs/pull/1303", "tags": ["issue-tracking"]}, {"url": "https://github.com/quickjs-ng/quickjs/issues/1302", "tags": ["exploit", "issue-tracking"]}, {"url": "https://github.com/quickjs-ng/quickjs/commit/ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141", "tags": ["patch"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "Use After Free"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "Memory Corruption"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-01-19T07:32:10.363Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1144", "state": "PUBLISHED", "dateUpdated": "2026-01-20T15:19:44.176Z", "dateReserved": "2026-01-18T13:43:14.894Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-01-19T07:32:10.363Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue."}], "id": "CVE-2026-1144", "lastModified": "2026-01-19T08:16:04.857", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-01-19T08:16:04.857", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/quickjs-ng/quickjs/commit/ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141"}, {"source": "cna@vuldb.com", "url": "https://github.com/quickjs-ng/quickjs/issues/1301"}, {"source": "cna@vuldb.com", "url": "https://github.com/quickjs-ng/quickjs/issues/1302"}, {"source": "cna@vuldb.com", "url": "https://github.com/quickjs-ng/quickjs/pull/1303"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.341737"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.341737"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.735537"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.735538"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-416"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{"bugzilla": {"description": "quickjs-ng: quickjs-ng: Use-after-free vulnerability in Atomics Ops Handler", "id": "2430785", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430785"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "(CWE-119|CWE-416)", "details": ["A flaw was found in quickjs-ng. A remote attacker could exploit a use-after-free vulnerability within the Atomics Ops Handler component, specifically in the quickjs.c file. This manipulation could lead to arbitrary code execution, information disclosure, or a denial of service. The exploit for this vulnerability is publicly available."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-1144", "public_date": "2026-01-19T07:32:10Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-1144\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-1144\nhttps://github.com/quickjs-ng/quickjs/commit/ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141\nhttps://github.com/quickjs-ng/quickjs/issues/1301\nhttps://github.com/quickjs-ng/quickjs/issues/1302\nhttps://github.com/quickjs-ng/quickjs/pull/1303\nhttps://vuldb.com/?ctiid.341737\nhttps://vuldb.com/?id.341737\nhttps://vuldb.com/?submit.735537\nhttps://vuldb.com/?submit.735538"], "statement": "This vulnerability is rated Important for Red Hat. A use-after-free flaw in the quickjs-ng JavaScript engine's Atomics Ops handler can be exploited remotely. If quickjs-ng is used in a Red Hat product, this could lead to arbitrary code execution. The exploit is publicly available.", "threat_severity": "Important"}