CVE-2026-1145

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-1145

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-1145.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-1145

Downstream

DEBIAN-CVE-2026-1145

Published

2026-01-19T09:16:02.587Z

Modified

2026-03-15T22:53:05.791063Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A flaw has been found in quickjs-ng quickjs up to 0.11.0. Affected by this vulnerability is the function jstypedarrayconstructorta of the file quickjs.c. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 53aebe66170d545bb6265906fe4324e4477de8b4. It is suggested to install a patch to address this issue.

References

Affected packages

Git / github.com/paralin/quickjs

Affected ranges

Type: GIT
Repo: https://github.com/paralin/quickjs
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

53aebe66170d545bb6265906fe4324e4477de8b4

Type

GIT

Repo

https://github.com/quickjs-ng/quickjs

Events

Introduced

Last affected

6a9fe9af5ca0bf7c49ae697edef44864272317d1

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.11.0"
        }
    ]
}

Affected versions

v0.*

v0.1.0

v0.10.0

v0.10.1

v0.11.0

v0.11.0-wasi29-reactor-r2

v0.2.0

v0.3.0

v0.4.0

v0.4.1

v0.5.0

v0.6.0

v0.6.1

v0.7.0

v0.8.0

v0.9.0

Database specific

vanir_signatures

[
    {
        "target": {
            "function": "js_typed_array_constructor_ta",
            "file": "quickjs.c"
        },
        "id": "CVE-2026-1145-40e2724c",
        "digest": {
            "function_hash": "326923451874279899459817696478252837695",
            "length": 1177.0
        },
        "source": "https://github.com/paralin/quickjs/commit/53aebe66170d545bb6265906fe4324e4477de8b4",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function"
    },
    {
        "target": {
            "file": "quickjs.c"
        },
        "id": "CVE-2026-1145-b58e4998",
        "digest": {
            "line_hashes": [
                "45372074689032643083731297437076335259",
                "333766548650432247447348785694021693565",
                "281369126161482718698234805438615858363",
                "310271018290203849350849518804908040112"
            ],
            "threshold": 0.9
        },
        "source": "https://github.com/paralin/quickjs/commit/53aebe66170d545bb6265906fe4324e4477de8b4",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line"
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-1145.json"