Security researchers have disclosed comprehensive technical details and released exploit code for a significant remote code execution (RCE) vulnerability in Google Chrome’s V8 JavaScript engine. This flaw, identified as a WebAssembly type canonicalization bug, arises from an improper nullability check in the `CanonicalEqualityEqualValueType` function, introduced by commit 44171ac in Chrome version M135 and later.
Understanding the Vulnerability
The core issue lies in the V8 engine’s failure to correctly differentiate between `ref t0` and `ref null t0`. This oversight allows attackers to create two recursive type groups that produce identical MurmurHash64A hash values. By executing a birthday attack on the type canonicalization process, adversaries can induce nullability confusion on indexed reference types, thereby compromising the foundational type safety guarantees of WebAssembly (Wasm).
Exploiting the Flaw
A novel method to bypass the V8 sandbox has been identified, leveraging flaws in JavaScript Promise Integration (JSPI) state-switching introduced in Chrome M137. According to SSD Secure Disclosure, attackers can exploit intra-state confusion in the secondary stack management logic to manipulate execution between nested JavaScript and Wasm stacks in an unintended sequence. By circumventing inactive stacks and injecting attacker-controlled values into suspended frames, the exploit achieves full stack control. This control facilitates the construction of a return-oriented programming (ROP) chain, which can invoke `VirtualProtect` on a read-write-execute (RWX) shellcode buffer.
Proof-of-Concept Exploit
The publicly available proof-of-concept consists of an HTML payload and accompanying JavaScript that utilizes `wasm-module-builder.js` to generate custom Wasm types and functions. To deploy the exploit:
1. Set up a local HTTP server to serve the exploit files.
2. Navigate to `http://127.0.0.1:8000/exp.html` in a vulnerable version of Chrome.
Upon successful exploitation, this will launch the Windows Calculator application (`calc.exe`) through a crafted ROP chain and RWX shellcode.
Exploit Mechanism
The exploit operates through the following steps:
1. Type Group Collision: It enumerates two Wasm recursive type groups (`t2null` and `t2nonnull`) that differ only in nullability. A birthday attack across 2^32 MurmurHash64A values is used to find a collision.
2. Nullability Confusion: By casting a `ref null t1` into `ref t1`, the exploit gains a sandboxed read/write primitive by exploiting out-of-bounds access to a large `ArrayBuffer`.
3. Stack Manipulation: Nested promise-based Wasm exports are constructed to force stack switches. The exploit then takes advantage of a missing `SBX_CHECK` in commit c6426203 to skip an inactive stack frame, resulting in an attacker-controlled execution context.
4. ROP Chain Construction: A retsled array of gadget addresses (e.g., `pop rax; jmp rax`, `VirtualProtect` thunk offsets) is sprayed to mark shellcode memory as executable and transfer control to it.
Discovery and Mitigation
The vulnerability was discovered by security researcher Seunghyun Lee (0x10n), who secured the top position in the Chrome RCE category at TyphoonPWN 2025. In response, Google has committed a patch to address the nullability regression, reintroduce strict `SBX_CHECK` validations in JSPI, and restore robust type safety within the V8 engine.
User Advisory
Users are strongly encouraged to update their Chrome browsers to version M137.0.7151.57 or later to mitigate this critical RCE risk. Regular updates are essential to protect against emerging vulnerabilities and ensure a secure browsing experience.
