CVE-2026-1145 identifies a heap-based buffer overflow vulnerability in the quickjs-ng quickjs JavaScript engine, specifically in the function js_typed_array_constructor_ta located in quickjs.c. This function improperly handles typed array construction, leading to a heap overflow condition when processing maliciously crafted inputs. The vulnerability affects all versions up to and including 0.11.0. The flaw can be exploited remotely without requiring authentication or elevated privileges, but user interaction is necessary to trigger the vulnerability, such as processing malicious JavaScript code. The overflow can corrupt heap memory, potentially allowing attackers to execute arbitrary code, crash the application, or cause denial of service. The vulnerability has been assigned a CVSS 4.0 score of 5.3, reflecting medium severity due to the combination of remote exploitability, user interaction requirement, and limited impact on confidentiality, integrity, and availability. A patch identified by commit 53aebe66170d545bb6265906fe4324e4477de8b4 has been released to address this issue. No confirmed exploits are currently observed in the wild, but proof-of-concept code is publicly available, increasing the risk of exploitation. Quickjs-ng quickjs is commonly embedded in IoT devices, embedded systems, and applications requiring lightweight JavaScript engines, making this vulnerability relevant to those environments.

The heap-based buffer overflow in quickjs-ng quickjs can lead to memory corruption, which attackers may leverage to execute arbitrary code remotely or cause application crashes resulting in denial of service. For organizations, this could mean compromise of devices or applications that embed quickjs-ng, potentially leading to unauthorized control, data breaches, or service disruptions. Given quickjs-ng's use in embedded and IoT devices, exploitation could affect critical infrastructure, consumer electronics, or industrial control systems. The requirement for user interaction limits automated widespread exploitation but targeted attacks remain feasible. The medium CVSS score reflects moderate risk; however, the availability of a public exploit increases the urgency for remediation. Organizations relying on quickjs-ng in their software stack must consider the risk of lateral movement or persistent compromise if exploited.

To mitigate this vulnerability, organizations should immediately update quickjs-ng quickjs to versions beyond 0.11.0 that include the patch identified by commit 53aebe66170d545bb6265906fe4324e4477de8b4. Where updating is not immediately feasible, implement runtime mitigations such as enabling memory safety features, sandboxing the JavaScript engine execution environment, and applying strict input validation to prevent processing of untrusted or malformed JavaScript code. Employ network-level protections to limit exposure of services embedding quickjs-ng to untrusted sources. Security teams should monitor for indicators of compromise related to this vulnerability and apply intrusion detection signatures where available. Regularly audit embedded devices and applications for the presence of vulnerable quickjs-ng versions and prioritize patching accordingly.