CVE-2026-1145 is a heap-based buffer overflow vulnerability found in the quickjs-ng quickjs JavaScript engine, affecting all versions up to 0.11.0. The vulnerability resides in the function js_typed_array_constructor_ta within the quickjs.c source file. This function improperly handles typed array construction, leading to a heap overflow condition when processing crafted inputs. The flaw can be triggered remotely without requiring authentication, though user interaction is necessary to initiate the exploit. The vulnerability allows an attacker to corrupt heap memory, potentially enabling arbitrary code execution, denial of service, or information disclosure, albeit with limited impact on confidentiality, integrity, and availability as indicated by the CVSS vector. The exploit complexity is low, and no privileges are needed, increasing the risk profile. Although no active exploits have been observed in the wild, a proof-of-concept exploit has been published, increasing the urgency for patching. The vendor has released a patch (commit 53aebe66170d545bb6265906fe4324e4477de8b4) that corrects the buffer handling in the affected function. Quickjs-ng quickjs is used in various embedded and web applications for JavaScript execution, making this vulnerability relevant to environments where this engine is embedded or exposed to untrusted inputs.

For European organizations, the impact of CVE-2026-1145 depends on the extent of quickjs-ng quickjs usage within their software stacks, particularly in embedded devices, IoT, or web platforms. Successful exploitation could lead to arbitrary code execution or denial of service, potentially disrupting services or enabling further compromise. Confidentiality and integrity impacts are limited but non-negligible, especially if the vulnerability is chained with other exploits. Critical infrastructure sectors such as telecommunications, manufacturing, and energy that utilize embedded JavaScript engines may face operational risks. Additionally, organizations providing software development or hosting services that incorporate quickjs-ng quickjs could see reputational damage and customer impact if exploited. The remote and unauthenticated nature of the vulnerability increases the attack surface, especially for externally facing services or devices. However, the requirement for user interaction somewhat limits automated mass exploitation. Overall, the vulnerability poses a moderate risk that should be addressed promptly to prevent potential exploitation in European environments.

1. Immediately apply the official patch identified by commit 53aebe66170d545bb6265906fe4324e4477de8b4 to all affected quickjs-ng quickjs versions up to 0.11.0. 2. Conduct an inventory of all systems and applications using quickjs-ng quickjs to identify vulnerable instances, including embedded devices and development environments. 3. Restrict network exposure of services or devices running vulnerable quickjs versions, especially those accessible from untrusted networks. 4. Implement input validation and sanitization on any interfaces that process JavaScript code or typed arrays to reduce the risk of malicious input triggering the vulnerability. 5. Monitor logs and network traffic for unusual activity or signs of exploitation attempts targeting quickjs. 6. Educate developers and system administrators about the vulnerability and the importance of timely patching. 7. For environments where patching is not immediately feasible, consider deploying runtime protections such as heap memory integrity checks or sandboxing to mitigate exploitation impact. 8. Stay updated with vendor advisories and threat intelligence feeds for any emerging exploit activity or additional mitigations.