The vulnerability, reported by security researcher Micky, affects the IPCZ driver transport system and has been assigned a high severity rating by Chromium’s security team.
The security flaw lies within Chromium’s Transport::Deserialize function, which fails to properly validate the header.destination_type parameter before creating transport connections.
When a compromised renderer process sends a request with kbroker as the destination type to the browser process, the system incorrectly treats the renderer as a legitimate broker process.
This misidentification occurs because the vulnerable code at line 200 of the transport implementation assumes the requesting process has broker privileges without performing adequate verification checks.
The researcher demonstrated this vulnerability using a proof-of-concept that applies a specific patch to Chromium’s codebase with the command git apply patch.diff followed by compilation.
The vulnerability becomes particularly exploitable in component builds or official builds, where the security check “You are attempting to duplicate a privileged handle into a sandboxed process” is bypassed.
Using system monitoring tools like “System Informer,” researchers can observe renderer processes gaining unauthorized access to browser process thread handles with full control permissions.
The exploitation process involves a sophisticated multi-step attack vector that leverages Windows handle management vulnerabilities.
The malicious renderer first sends a RequestIntroduction to the broker using its own node name, obtaining two transport channels.
Subsequently, it sends a ReferNonBroker request with the first transport while falsely declaring itself as a broker through the manipulated header destination type.
The attack continues with connection and RelayMessage requests using the second transport to systematically request browser process handles.
Since Windows handles values increment predictably from 4, attackers can brute-force handle discovery by sending multiple RelayMessage requests with handle values ranging from 4 to 1000, forcing the browser to return all handles within that range.
This vulnerability bears similarity to the previously disclosed CVE-2025-2783, which also involved incorrect handle provision in Mojo on Windows, though the current exploit demonstrates significantly higher complexity.
The bug was introduced through a specific Chromium code change and affects the foundational IPCZ Mojo driver implementation.
Chromium’s security team has acknowledged the severity of this sandbox escape vulnerability and assigned it for immediate remediation.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post Google Awards Record $250K for Critical Chrome RCE Exploit Discovery appeared first on Cyber Security News.
Microsoft says a cybercriminal group it tracks as Storm-2561 is running a credential theft campaign…
Microsoft has announced a two-phase plan to disable the hands-free deployment feature in Windows Deployment…
Full spoilers follow for Primal Season 3, Episode 10, “An Echo of Eternity,” which is…
The year is 2033, and a devastating virus and rogue AI have combined to bring…
The year is 2033, and a devastating virus and rogue AI have combined to bring…
The Oscars just had their seventh tie in the history of the Academy Awards, for…
This website uses cookies.