CVE-2026-1144 identifies a use-after-free vulnerability in the quickjs-ng quickjs JavaScript engine, versions 0.1 through 0.11.0. The vulnerability resides in an unspecified function within the Atomics Ops Handler component of quickjs.c. Use-after-free bugs occur when a program continues to use memory after it has been freed, leading to undefined behavior such as memory corruption, crashes, or potential code execution. This particular flaw can be triggered remotely without requiring authentication, although it does require user interaction, such as processing crafted JavaScript code. The vulnerability impacts confidentiality, integrity, and availability, but with limited scope and impact severity. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:P), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). A public exploit is available, increasing the urgency for remediation. The patch identified by commit ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141 addresses the issue. Quickjs-ng quickjs is a lightweight JavaScript engine often embedded in IoT devices, applications, and other software requiring JavaScript execution capabilities. The vulnerability's exploitation could lead to arbitrary code execution or denial of service, depending on the attacker's payload and environment.

The vulnerability poses a moderate risk to organizations using quickjs-ng quickjs, especially those embedding it in IoT devices, edge computing platforms, or software products that execute JavaScript code. Successful exploitation could allow remote attackers to execute arbitrary code, crash applications, or manipulate memory, potentially leading to data leakage or service disruption. This can affect confidentiality, integrity, and availability of affected systems. Given the public availability of an exploit, attackers may attempt to leverage this vulnerability in targeted or opportunistic attacks. Organizations in sectors relying heavily on embedded systems, such as telecommunications, industrial control, consumer electronics, and automotive, may face increased risks. The medium severity score reflects the balance between ease of exploitation and limited impact scope, but the presence of a public exploit elevates the threat level. Failure to patch could result in compromise of devices or software, leading to broader network infiltration or operational disruptions.

To mitigate CVE-2026-1144, organizations should promptly apply the official patch identified by commit ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141 to all affected versions of quickjs-ng quickjs. Where patching is not immediately feasible, consider isolating or restricting network access to systems running vulnerable versions to reduce exposure. Implement strict input validation and sandboxing for any JavaScript code executed via quickjs to limit the impact of potential exploitation. Monitor network and application logs for anomalous behavior indicative of exploitation attempts, such as unexpected crashes or suspicious JavaScript payloads. Employ runtime protections like memory safety tools or exploit mitigation techniques (e.g., ASLR, DEP) to reduce the risk of successful exploitation. For embedded devices, ensure secure firmware update mechanisms are in place to facilitate timely patch deployment. Engage in threat hunting activities focusing on indicators of compromise related to quickjs exploitation. Finally, maintain an inventory of all software components using quickjs-ng quickjs to ensure comprehensive coverage during remediation efforts.