Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-1144
6.3 MEDIUM
- CVSS version: 3.1
- Attack vector (AV):
- Attack complexity (AC):
- Privileges required (PR):
- User interaction (UI):
- Scope (S):
- Confidentiality impact (C):
- Integrity impact (I):
- Availability impact (A):
quickjs-ng quickjs Atomics Ops quickjs.c use after free
A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue.
References
-
-
Submit #735537 | quickjs-ng quickjs v0.11.0 Use After Free third-party-advisory
-
Submit #735538 | quickjs-ng quickjs v0.11.0 Use After Free (Duplicate) third-party-advisory
-
https://github.com/quickjs-ng/quickjs/issues/1301 issue-tracking
-
https://github.com/quickjs-ng/quickjs/pull/1303 issue-tracking
-
Affected products
quickjs
- ==0.9
- ==0.7
- ==0.11.0
- ==0.3
- ==0.1
- ==0.4
- ==0.10
- ==0.6
- ==0.5
- ==0.8
- ==0.2
Matching in nixpkgs
pkgs.quickjs
Small and embeddable Javascript engine
-
nixos-unstable 2025-04-26
- nixpkgs-unstable 2025-04-26
- nixos-unstable-small 2025-04-26
-
nixos-25.11 2025-09-13-2
- nixpkgs-25.11-darwin 2025-09-13-2
pkgs.quickjs-ng
Mighty JavaScript engine
pkgs.python312Packages.quickjs
Python wrapper around the quickjs C library
pkgs.python313Packages.quickjs
Python wrapper around the quickjs C library
pkgs.python312Packages.llm-tools-quickjs
JavaScript execution as a tool for LLM
Package maintainers
-
@philiptaron Philip Taron <philip.taron@gmail.com>
-
@stesie Stefan Siegl <stesie@brokenpipe.de>