What is the CVSS score of CVE-2026-1144?

CVE-2026-1144 has a contested CVSS base score of 2.1 from a third party (e.g. CISA-ADP), while the vendor rates it Low. vuln.today uses the vendor rating as authoritative.

Which versions of Quickjs are affected by CVE-2026-1144?

Organizations using quickjs-ng quickjs should be aware of moderate risk from CVE-2026-1144, a buffer overflow vulnerability rated CVSS 6.3.. A patch is available.

Is there a public PoC exploit available for CVE-2026-1144?

Yes, a public proof-of-concept exploit is available for CVE-2026-1144. Prioritise patching immediately. EPSS: 0.1%.

Quickjs CVE-2026-1144

LOW

Buffer Overflow (CWE-119)

2026-01-19 cna@vuldb.com

Buffer Overflow Denial Of Service Quickjs

Low

Disputed · 2.1 NVD

Severity by source

Sources disagree (Low–High)

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

SUSE

7.5 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Red Hat

6.3 HIGH

qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:11 NVD

6.3 (MEDIUM) 2.1 (LOW)

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 23, 2026 - 09:16 vuln.today

Public exploit code

Patch released

Feb 23, 2026 - 09:16 nvd

Patch available

CVE Published

Jan 19, 2026 - 08:16 nvd

MEDIUM 6.3

DescriptionCVE.org

A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue.

AnalysisAI

Use-after-free in QuickJS up to version 0.11.0 within the Atomics Ops Handler allows remote attackers to trigger memory corruption without authentication. Public exploit code exists for this vulnerability, enabling potential information disclosure or denial of service. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	CVSS 6.3 (MEDIUM). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A remote attacker could exploit this flaw, use after free.
Remediation	A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems running quickjs-ng quickjs and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High

CVE-2026-1144 vulnerability details – vuln.today

Back

Quickjs CVE-2026-1144

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code