CVE-2026-0821

Name
CVE-2026-0821
Description
A vulnerability was determined in quickjs-ng quickjs up to 0.11.0. This vulnerability affects the function js_typed_array_constructor of the file quickjs.c. Executing a manipulation can lead to heap-based buffer overflow. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This patch is called c5d80831e51e48a83eab16ea867be87f091783c5. A patch should be applied to remediate this issue.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
patch https://github.com/quickjs-ng/quickjs/commit/c5d80831e51e48a83eab16ea867be87f091783c5
issue-tracking https://github.com/quickjs-ng/quickjs/issues/1296
exploit https://github.com/quickjs-ng/quickjs/issues/1296#issue-3780003395
issue-tracking https://github.com/quickjs-ng/quickjs/pull/1299
signature https://vuldb.com/?ctiid.340355
vdb-entry https://vuldb.com/?id.340355
third-party-advisory https://vuldb.com/?submit.731780

Match rules

CPE URI Source package Min version Max version
quickjs == 0.1 == None
quickjs == 0.2 == None
quickjs == 0.3 == None
quickjs == 0.4 == None
quickjs == 0.5 == None
quickjs == 0.6 == None
quickjs == 0.7 == None
quickjs == 0.8 == None
quickjs == 0.9 == None
quickjs == 0.10 == None
quickjs == 0.11.0 == None

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
quickjs edge-community 2021-03-27-r5 None possibly vulnerable
quickjs edge-community 0.20250913-r0 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable
quickjs edge-community 0.20250426-r0 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable
quickjs edge-community 0.20240113-r0 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable
quickjs 3.23-community 0.20250426-r0 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable