NIXPKGS-2026-0064

GitHub issue published on 21 Jan 2026

Permalink CVE-2026-1144

updated 1 month ago by @LeSuisse Activity log

Created automatic suggestion 1 month ago
@LeSuisse removed
4 packages
- python312Packages.quickjs
- python313Packages.quickjs
- python312Packages.llm-tools-quickjs
- python313Packages.llm-tools-quickjs
1 month ago
@LeSuisse accepted 1 month ago
@LeSuisse published on GitHub 1 month ago

quickjs-ng quickjs Atomics Ops quickjs.c use after free

A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue.

Affected products

quickjs

==0.2
==0.11.0
==0.1
==0.9
==0.10
==0.8
==0.5
==0.7
==0.6
==0.3
==0.4

Matching in nixpkgs

pkgs.quickjs

Small and embeddable Javascript engine

nixos-unstable 2025-09-13-2
- nixpkgs-unstable 2025-09-13-2
- nixos-unstable-small 2025-09-13-2

pkgs.quickjs-ng

Mighty JavaScript engine

nixos-unstable 0.11.0
- nixpkgs-unstable 0.11.0
- nixos-unstable-small 0.11.0

Package maintainers

@stesie Stefan Siegl <stesie@brokenpipe.de>

Quickjs-ng patch: https://github.com/quickjs-ng/quickjs/commit/ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141
Pending PR for quickjs: https://github.com/bellard/quickjs/pull/483

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0064

Affected products

Matching in nixpkgs

pkgs.quickjs

pkgs.quickjs-ng

Package maintainers