NIXPKGS-2026-0063

GitHub issue published on 21 Jan 2026

Permalink CVE-2026-1145

updated 1 month ago by @LeSuisse Activity log

Created automatic suggestion 1 month ago
@LeSuisse removed
4 packages
- python312Packages.quickjs
- python313Packages.quickjs
- python312Packages.llm-tools-quickjs
- python313Packages.llm-tools-quickjs
1 month ago
@LeSuisse accepted 1 month ago
@LeSuisse published on GitHub 1 month ago

quickjs-ng quickjs quickjs.c js_typed_array_constructor_ta heap-based overflow

A flaw has been found in quickjs-ng quickjs up to 0.11.0. Affected by this vulnerability is the function js_typed_array_constructor_ta of the file quickjs.c. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 53aebe66170d545bb6265906fe4324e4477de8b4. It is suggested to install a patch to address this issue.

Affected products

quickjs

==0.2
==0.11.0
==0.1
==0.9
==0.10
==0.8
==0.5
==0.7
==0.6
==0.3
==0.4

Matching in nixpkgs

pkgs.quickjs

Small and embeddable Javascript engine

nixos-unstable 2025-09-13-2
- nixpkgs-unstable 2025-09-13-2
- nixos-unstable-small 2025-09-13-2

pkgs.quickjs-ng

Mighty JavaScript engine

nixos-unstable 0.11.0
- nixpkgs-unstable 0.11.0
- nixos-unstable-small 0.11.0

Package maintainers

@stesie Stefan Siegl <stesie@brokenpipe.de>

Merged patch for quickjs-ng: https://github.com/quickjs-ng/quickjs/commit/53aebe66170d545bb6265906fe4324e4477de8b4
Pending PR for quickjs: https://github.com/bellard/quickjs/pull/483

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0063

Affected products

Matching in nixpkgs

pkgs.quickjs

pkgs.quickjs-ng

Package maintainers