Researchers have published full technical details and proof-of-concept exploit code for a critical remote code execution, RCE, vulnerability in Google Chrome’s V8 JavaScript engine. The bug stems from a WebAssembly type canonicalization regression that creates nullability confusion, and a separate JavaScript Promise Integration, JSPI, state-switching weakness that enables a novel sandbox bypass. This article explains the vulnerability, the exploit’s workflow, and recommended mitigation steps.
The vulnerability, tracked as a WebAssembly type canonicalization bug, originates from an improper nullability check in the CanonicalEqualityEqualValueType function, introduced by commit 44171ac in Chrome M135 and later. The regression fails to distinguish between ref t0 and ref null t0, allowing an attacker to craft two recursive Wasm type groups that collide under the same MurmurHash64A value. A birthday attack on the type canonicalization produces nullability confusion for indexed reference types, which breaks core Wasm type safety guarantees.
A separate but related JSPI issue, introduced in M137, involves state-switching and secondary stack management. SSD Secure Disclosure explains that an attacker can cause intra-state confusion in the secondary stack logic, pivoting execution across nested JavaScript and Wasm stacks out of order. By skipping inactive stacks and injecting attacker-controlled values into suspended frames, the exploit attains powerful stack control and builds a return-oriented programming, ROP, chain that invokes VirtualProtect to mark memory as executable.
Technical details
- Type canonicalization regression (nullability confusion)
commit 44171ac (Chrome M135+), introduced an incorrect nullability check in CanonicalEqualityEqualValueType.
two recursive type groups are constructed, differing only by nullability (for example, t2null versus t2nonnull).
using a birthday attack across 2^32 MurmurHash64A values, the exploit locates a hash collision that forces the engine to treat ref null t1 as ref t1, enabling unsafe casts and a caged read/write primitive via out-of-bounds access to a large ArrayBuffer. - JSPI sandbox bypass (stack pivot)
JSPI state-switching changes introduced in M137 contain a missing SBX_CHECK, commit c6426203 relates to this area.
by chaining nested promise-based Wasm exports, the exploit forces stack switches and skips inactive frames.
spraying attacker-controlled values into suspended frames and suspended stacks produces a controlled execution context that supports ROP gadget chaining.
Exploit workflow
generate bespoke Wasm types and functions using wasm-module-builder.js to enumerate and probe recursive type groups.
perform a birthday attack to find a MurmurHash64A collision between two type groups differing only in nullability.
cast ref null t1 into ref t1, obtain a caged read/write primitive via out-of-bounds ArrayBuffer access.
construct nested promise-based Wasm exports and trigger JSPI state transitions to skip inactive stack frames.
spray a retsled (an array of return-oriented gadgets) containing sequences such as pop rax; jmp rax, VirtualProtect thunk offsets, and shellcode pointers.
call VirtualProtect to mark an RWX shellcode buffer executable, then jump to shellcode to spawn a payload (the published PoC spawns Windows calc.exe).
Proof-of-concept and deployment
The public proof-of-concept comprises an HTML payload and JavaScript that use wasm-module-builder.js to build custom Wasm types and exploit the issues described above. To test the PoC locally, host the files and open the exploit page
At successful exploitation, the PoC spawns calc.exe via a crafted ROP chain and RWX shellcode. The exploit relies on enumerating recursive types, finding a MurmurHash64A collision, abusing nullability confusion, and leveraging JSPI stack-switching flaws to obtain full control.
Credit, patch and mitigation
Credit for discovery and the exploit goes to Seunghyun Lee (0x10n), winner of the Chrome RCE category at TyphoonPWN 2025. A patch has been committed that restores strict nullability checks in canonicalization, reintroduces SBX_CHECKs in JSPI, and tightens Wasm type safety.
Users and administrators should update to Chrome M137.0.7151.57 (or later) immediately to mitigate this critical RCE risk. In addition, follow standard hardening practices for endpoints and sandboxed environments, including:
apply browser updates centrally via your enterprise update mechanism
restrict execution of untrusted local payloads and development servers
monitor for suspicious processes and unusual injector behaviors
