Google has awarded a record-breaking $250,000 bounty to safety researcher “Micky” for locating a vital distant code execution vulnerability in Chrome’s browser structure.
The vulnerability allowed malicious web sites to flee Chrome’s sandbox safety and execute arbitrary code on sufferer programs.
Key Takeaways1.Google paid researcher “Micky” a file quantity for locating a vital Chrome vulnerability.2.The bug allowed malicious web sites to interrupt out of Chrome’s safety safety.3.Google patched the vulnerability.
The invention represents one of many highest particular person payouts in Google’s Vulnerability Rewards Program historical past, reflecting the delicate nature of the exploit and its potential for widespread impression.
IPCZ Transport Vulnerability
The vulnerability exploited a basic flaw in Chrome’s Inter-Course of Communication (IPC) system, particularly throughout the IPCZ driver transport mechanism.
The bug was positioned within the Transport::Deserialize operate, the place the system didn’t correctly validate header.destination_type parameters earlier than creating transport objects.
A malicious renderer course of may manipulate this parameter by passing kBroker because the vacation spot kind, successfully impersonating a privileged dealer course of.
The assault vector concerned a fancy multi-step course of the place the compromised renderer would ship a RequestIntroduction message to the dealer, adopted by a ReferNonBroker request with the malicious transport containing the spoofed kBroker header.
The renderer may then ship RelayMessage requests with deal with values starting from 4 to 1000, exploiting Home windows’ predictable deal with allocation system.
Since Home windows deal with values increment from 4, attackers may systematically iterate by potential thread handles to realize management over browser course of assets.
The exploit’s proof-of-concept demonstrated profitable sandbox escape by duplicating privileged browser course of handles, together with thread handles with full management permissions (DUPLICATE_SAME_ACCESS | DUPLICATE_CLOSE_SOURCE).
The researcher’s practical exploit code confirmed the power to execute system instructions like begin calc throughout the browser course of context, successfully bypassing Chrome’s multi-process safety structure.
$250,000 Report Bounty
Google’s Chrome VRP panel justified the unprecedented $250,000 reward by emphasizing the vulnerability’s complexity and the standard of the researcher’s submission.
The panel famous this represented “a really complicated logic bug and prime quality report with a practical exploit” that demonstrated full sandbox escape capabilities.
The award displays Google’s dedication to incentivizing high-caliber safety analysis focusing on Chrome’s most important safety mechanisms.
The vulnerability was responsibly disclosed on April 22, 2025, with Google’s safety crew, led by Alex Gough, creating and deploying fixes throughout Chrome’s launch channels by Could 2025.
The repair concerned dropping transitive belief from transports and implementing stricter validation of endpoint trustworthiness throughout the IPCZ driver system.
The patch was efficiently merged to Chrome variations M136 and M137, with cautious consideration given to stability implications throughout the browser’s complicated multi-process structure.
Enhance your SOC and assist your crew shield your enterprise with free top-notch risk intelligence: Request TI Lookup Premium Trial.
