CVE-2025-46688

NameCVE-2025-46688
Descriptionquickjs-ng through 0.9.0 has an incorrect size calculation in JS_ReadBigInt for a BigInt, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1104255

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
quickjs (PTS)forky, sid, trixie2025.04.26-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
quickjssource(unstable)2025.04.26-11104255

Notes

https://github.com/quickjs-ng/quickjs/issues/1018
https://github.com/bellard/quickjs/issues/399
https://github.com/bellard/quickjs/commit/1eb05e44fad89daafa8ee3eb74b8520b4a37ec9a
Search for package or bug name: Reporting problems