Bug 2430785 (CVE-2026-1144)

Summary: CVE-2026-1144 quickjs-ng: quickjs-ng: Use-after-free vulnerability in Atomics Ops Handler
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in quickjs-ng. A remote attacker could exploit a use-after-free vulnerability within the Atomics Ops Handler component, specifically in the quickjs.c file. This manipulation could lead to arbitrary code execution, information disclosure, or a denial of service. The exploit for this vulnerability is publicly available.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2430799, 2430801, 2430803, 2430805, 2430807    
Bug Blocks:    

Description OSIDB Bzimport 2026-01-19 08:01:17 UTC 
A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue.