CVE-2026-0821

**Plain-language summary** CVE‑2026‑0821 is a heap‑based buffer overflow in the `js_typed_array_constructor` function of the quickjs‑ng quickjs JavaScript engine (file `quickjs.c`). The flaw can be triggered remotely without user interaction, and a public exploit exists. **Who is affected** All versions of quickjs‑ng quickjs up to and including **0.11.0** are vulnerable. The vulnerability is present in the upstream quickjs‑ng project; downstream distributions (e.g., Debian’s `quickjs` package) may also be affected until they integrate the fix. **What an attacker could do** By sending crafted input that triggers the overflow, an attacker could execute arbitrary code on the target system, cause a denial‑of‑service crash, or corrupt memory—potentially leading to full system compromise if the engine runs with elevated privileges. **Recommended remediation** 1. **Apply the official patch** (commit `c5d80831e51e48a83eab16ea867be87f091783c5`) from the quickjs‑ng repository. 2. **Update to a fixed version** once released by the project or your distribution. 3. **Recompile** any software that embeds the vulnerable quickjs library. 4. If immediate patching isn’t possible, consider **isolating or disabling** services that expose the quickjs engine to untrusted input.