CVE-2026-0821

HIGH 7.3

quickjs-ng quickjs quickjs.c js_typed_array_constructor heap-based overflow

CVSS Score

7.3

EPSS Score

0.0%

EPSS Percentile

0th

A vulnerability was determined in quickjs-ng quickjs up to 0.11.0. This vulnerability affects the function js_typed_array_constructor of the file quickjs.c. Executing a manipulation can lead to heap-based buffer overflow. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This patch is called c5d80831e51e48a83eab16ea867be87f091783c5. A patch should be applied to remediate this issue.

CWE	CWE-122 CWE-119
Vendor	quickjs-ng
Product	quickjs
Published	Jan 10, 2026
Last Updated	Feb 23, 2026

Stay Ahead of the Next One

Get instant alerts for quickjs-ng quickjs

Be the first to know when new high vulnerabilities affecting quickjs-ng quickjs are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

quickjs-ng / quickjs

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 0.10 0.11.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/?id.340355 vuldb.com: https://vuldb.com/?ctiid.340355 vuldb.com: https://vuldb.com/?submit.731780 github.com: https://github.com/quickjs-ng/quickjs/issues/1296 github.com: https://github.com/quickjs-ng/quickjs/pull/1299 github.com: https://github.com/quickjs-ng/quickjs/issues/1296#issue-3780003395 github.com: https://github.com/quickjs-ng/quickjs/commit/c5d80831e51e48a83eab16ea867be87f091783c5 github.com: https://github.com/quickjs-ng/quickjs/

Credits

🔍 mcsky23 (VulDB User)