During the TyphoonPWN 2025 competition, researcher Seunghyun Lee (0x10n) uncovered a subtle WebAssembly canonicalization bug in Chrome’s V8 engine.
The flaw stems from improper nullability checks in the CanonicalEqualityEqualValueType routine introduced in commit 44171ac (M135).
By finding a hash collision between two reference types that differ only by nullability, achievable via a birthday attack on MurmurHash64A, the vulnerability allows attackers to bypass Wasm type guarantees and craft out-of-bounds primitives.
Combined with a novel JSPI-based sandbox bypass in Chromium’s M137 update, this leads directly to arbitrary code execution on the host machine.
Google has yet to ship an official patch for M135–M136 on stable channels, leaving versions from 137.0.7151.40 onward exposed until the fix lands.
The exploit leverages a two-stage chain: first hijacking the Wasm sandbox via nullability confusion, then abusing JS Promise Integration’s secondary stack feature to orchestrate a stack pivot and deploy a ROP chain.
A full proof-of-concept, delivered as exp.html, spawns an unprivileged shell (calc.exe) when run under Chrome with --no-sandbox, demonstrating complete remote code injection.
| CVE ID | Affected Versions | Impact | Exploit Prerequisites | CVSS 3.1 Score |
|---|---|---|---|---|
| CVE-2025-1195777 | Chrome 137.0.7151.40 – 138.0.7204.4 | Remote code execution on host | JavaScript execution in browser; no sandbox flag | 9.8 |
Until an official Chrome update is available, organizations should consider temporarily disabling WebAssembly via enterprise policy or rolling out a custom build with backported nullability checks.
Network-based defenses, such as Content Security Policy with disallowed inline scripts, can reduce exposure to malicious pages hosting the exploit.
Users are strongly urged to avoid browsing untrusted sites in Chrome and monitor for Google’s imminent security patch, expected in the next Stable channel release.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
The post Exploit Code Published for Google Chrome RCE – Full Details Released appeared first on Cyber Security News.
EA has confirmed the first details for F1 25’s 2026 Season Pack update will be…
CRANE, Ind. (WOWO) — Naval Weapons Station Crane is getting the largest expansion in its…
Here's a great deal on a power bank that stands out from the rest. As…
Forza Horizon 6 managed to slip in a sly reference to Pokémon. Xbox and Playground…
B&H is offering a great deal on a lightweight laptop with decent gaming chops. For…
Gaming laptops and PCs have gone up in price this year, but you know what…
This website uses cookies.