CVE-2026-0822
Description
A vulnerability was identified in quickjs-ng quickjs up to 0.11.0. This issue affects the function js_typed_array_sort of the file quickjs.c. The manipulation leads to heap-based buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. The identifier of the patch is 53eefbcd695165a3bd8c584813b472cb4a69fbf5. To fix this issue, it is recommended to deploy a patch.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
Debian Affected 3 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Affected | โ |
| sid | Affected | โ |
| forky | Affected | โ |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| quickjs-ng | quickjs | {"endIncluding":"0.11.0"} | |
References
- https://github.com/quickjs-ng/quickjs/
- https://github.com/quickjs-ng/quickjs/commit/53eefbcd695165a3bd8c584813b472cb4a69fbf5
- https://github.com/quickjs-ng/quickjs/issues/1297
- https://github.com/quickjs-ng/quickjs/issues/1297#issue-3780006202
- https://github.com/quickjs-ng/quickjs/pull/1298
- https://vuldb.com/?ctiid.340356
- https://vuldb.com/?id.340356
- https://vuldb.com/?submit.731783
- https://security-tracker.debian.org/tracker/CVE-2026-0822
CWEs
CWE-119 CWE-122 CWE-787
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.