Researchers have printed the total technical particulars and exploit code for a crucial distant code execution (RCE) vulnerability in Google Chrome’s V8 JavaScript engine.
Tracked internally as a WebAssembly sort canonicalization bug, the flaw stems from an improper nullability verify within the CanonicalEqualityEqualValueType perform launched by commit 44171ac in Chrome M135 and above.
This regression fails to differentiate between ref t0 and ref null t0, enabling an attacker to craft two recursive sort teams that collide beneath the identical MurmurHash64A hash worth.
By launching a birthday assault on the sort canonicalization, the exploit achieves nullability confusion on listed reference varieties, undermining core Wasm sort security ensures.
A novel V8 sandbox bypass leverages JavaScript Promise Integration (JSPI) state-switching flaws launched in M137.
SSD Safe Disclosure said that an attacker abuses an intra-state confusion within the secondary stack administration logic to pivot execution between nested JS and Wasm stacks out of order.
By skipping over inactive stacks and spraying attacker-controlled values into suspended frames, the exploit positive aspects full stack management and builds a return-oriented programming chain to invoke VirtualProtect on a RWX shellcode buffer.
Chrome RCE Vulnerability Exploit
The publicly launched proof-of-concept contains an HTML payload and accompanying JavaScript leveraging wasm-module-builder.js to generate bespoke Wasm varieties and capabilities. To deploy the exploit:
Then, navigate to Profitable exploitation will spawn a Home windows calc.exe course of through a crafted ROP chain and RWX shellcode. The exploit script performs the next steps:
Enumerates two Wasm recursive sort teams (t2null vs. t2nonnull) differing solely in nullability, then makes use of a birthday assault throughout 2^32 MurmurHash64A values to find a collision.
Casts a ref null t1 into ref t1, granting a sandboxed caged learn/write primitive by abusing out-of-bounds entry to a big ArrayBuffer.
Constructs nested promise-based Wasm exports to drive stack switches, then exploits a lacking SBX_CHECK in commit c6426203 to skip an inactive stack body, yielding attacker-controlled execution context.
Sprays a retsled array of gadget addresses—pop rax; jmp rax, VirtualProtect thunk offsets, and many others.—to mark shellcode reminiscence as executable and leap into it.
Credit score for the invention and exploit goes to Seunghyun Lee (0x10n), winner of the Chrome RCE class at TyphoonPWN 2025.
A patch has been dedicated to handle the nullability regression, reintroduce strict SBX_CHECKs in JSPI, and restore strong sort security within the V8 engine.
Customers are strongly suggested to replace to Chrome M137.0.7151.57 (or later) as quickly as potential to mitigate this crucial RCE threat.
Observe us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to characteristic your tales.
