Researchers have published the full technical details and exploit code for a critical remote code execution (RCE) vulnerability in Google Chrome’s V8 JavaScript engine.
Tracked internally as a WebAssembly type canonicalization bug, the flaw stems from an improper nullability check in the CanonicalEqualityEqualValueType function introduced by commit 44171ac in Chrome M135 and above.
This regression fails to distinguish between ref t0 and ref null t0, enabling an attacker to craft two recursive type groups that collide under the same MurmurHash64A hash value.
By launching a birthday attack on the type canonicalization, the exploit achieves nullability confusion on indexed reference types, undermining core Wasm type safety guarantees.
A novel V8 sandbox bypass leverages JavaScript Promise Integration (JSPI) state-switching flaws introduced in M137.
SSD Secure Disclosure stated that an attacker abuses an intra-state confusion in the secondary stack management logic to pivot execution between nested JS and Wasm stacks out of order.
By skipping over inactive stacks and spraying attacker-controlled values into suspended frames, the exploit gains full stack control and builds a return-oriented programming chain to invoke VirtualProtect on a RWX shellcode buffer.
Chrome RCE Vulnerability Exploit
The publicly released proof-of-concept comprises an HTML payload and accompanying JavaScript leveraging wasm-module-builder.js to generate bespoke Wasm types and functions. To deploy the exploit:
Then, navigate to http://127.0.0.1:8000/exp.html. Successful exploitation will spawn a Windows calc.exe process via a crafted ROP chain and RWX shellcode. The exploit script performs the following steps:
Enumerates two Wasm recursive type groups (t2null vs. t2nonnull) differing only in nullability, then uses a birthday attack across 2^32 MurmurHash64A values to locate a collision.
Casts a ref null t1 into ref t1, granting a sandboxed caged read/write primitive by abusing out-of-bounds access to a large ArrayBuffer.
Constructs nested promise-based Wasm exports to force stack switches, then exploits a missing SBX_CHECK in commit c6426203 to skip an inactive stack frame, yielding attacker-controlled execution context.
Sprays a retsled array of gadget addresses—pop rax; jmp rax, VirtualProtect thunk offsets, etc.—to mark shellcode memory as executable and jump into it.
Credit for the discovery and exploit goes to Seunghyun Lee (0x10n), winner of the Chrome RCE category at TyphoonPWN 2025.
A patch has been committed to address the nullability regression, reintroduce strict SBX_CHECKs in JSPI, and restore robust type safety in the V8 engine.
Users are strongly advised to update to Chrome M137.0.7151.57 (or later) as soon as possible to mitigate this critical RCE risk.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
