Researchers have published the full technical details and exploit code for a critical remote code execution (RCE) vulnerability in Google Chrome’s V8 JavaScript engine. This flaw, an improper nullability check, was introduced in Chrome M135 and allows attackers to craft two recursive type groups that share the same hash value. The exploit, which is a birthday attack on the type canonicalization, achieves nullability confusion on indexed reference types, which undermines the core Wasm type safety.
The attack leverages a novel V8 sandbox bypass using flaws in JavaScript Promise Integration (JSPI) state-switching. According to SSD Secure Disclosure, an attacker can abuse a confusion in the secondary stack management logic to pivot execution between nested JS and Wasm stacks. By skipping inactive stacks and injecting attacker-controlled values, the exploit gains full stack control and builds a return-oriented programming chain to invoke the VirtualProtect function on a read-write-execute (RWX) shellcode buffer. This effectively allows the attacker to run their own code.
The publicly released proof-of-concept includes an HTML payload and accompanying JavaScript that generates specific Wasm types and functions. When deployed, the exploit spawns a Windows calculator process by using a specially crafted ROP chain and RWX shellcode. The exploit script first enumerates two Wasm recursive type groups, differing only in their nullability, and then uses a birthday attack to find a collision among their hash values.
Next, the exploit casts a null reference into a non-null one, which grants a read/write primitive by abusing out-of-bounds access to a large ArrayBuffer. The exploit then constructs nested promise-based Wasm exports to force stack switches and abuses a missing security check to skip an inactive stack frame. This gives the attacker control over the execution context. Finally, it injects an array of gadget addresses—small snippets of existing code—to mark the shellcode memory as executable and jump into it.
The vulnerability was discovered by Seunghyun Lee (0x10n), who won the Chrome RCE category at TyphoonPWN 2025 for this work. A patch has since been committed to address the nullability regression, reintroduce strict security checks in JSPI, and restore robust type safety in the V8 engine. Users are strongly advised to update to Chrome M137.0.7151.57 or later as soon as possible to mitigate this critical RCE risk.
Reference:
