CVE-2026-1144HIGH 8.8EPSS p26.6%

CVE-2026-1144CVE-2026-1144

Description

A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS0.35% probability of exploitation · percentile 26.6% · 2026-06-19T12:03:05Z
Published2026-01-19
Last modified2026-04-29

Underlying weaknesses· 2

CWE-119CWE-416

References

  1. https://github.com/quickjs-ng/quickjs/
  2. https://github.com/quickjs-ng/quickjs/commit/ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141
  3. https://github.com/quickjs-ng/quickjs/issues/1301
  4. https://github.com/quickjs-ng/quickjs/issues/1302
  5. https://github.com/quickjs-ng/quickjs/pull/1303
  6. https://vuldb.com/?ctiid.341737
  7. https://vuldb.com/?id.341737
  8. https://vuldb.com/?submit.735537

2

TypeTargetConfidenceTier
WeaknessImproper Restriction of Operations within the Bounds of a Memory Buffercwe-1190%live
WeaknessUse After Freecwe-4160%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-1145
CVE
CVE-2026-0822
CVE
CVE-2026-0821
CVE
CVE-2025-69654
CVE
CVE-2025-46688
CVE
CVE-2025-62490
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.