Google Chrome, the world’s most widely used browser, is facing a critical remote code execution (RCE) vulnerability in its V8 JavaScript engine. Security researchers have published the full technical details and exploit code, significantly increasing the risk of active attacks if users fail to update promptly.
The flaw, discovered by researcher Seunghyun Lee (0x10n)—winner of the TyphoonPWN 2025 competition—affects Chrome version M135 and newer. It allows attackers to execute arbitrary code on a victim’s device simply by visiting a malicious webpage.
What Causes This Vulnerability?
The issue stems from a “type canonicalization” bug in the WebAssembly component of the V8 engine. In simple terms, Chrome fails to correctly distinguish between nullable and non-nullable references (e.g., ref t0 vs. ref null t0).
This mishandling allows attackers to craft two recursive type groups that collide under the same MurmurHash64A hash, leading to type confusion in indexed references. As a result, WebAssembly's type safety breaks down, allowing controlled memory manipulation.
In short: Chrome loses control over which memory references are secure, opening the door to malicious code execution.
A Complex but Powerful Exploitation Chain
The vulnerability isn’t limited to the nullability bug. Researchers also found a sandbox bypass in Chrome M137, exploiting a flaw in the integration of JavaScript Promise (JSPI) with WebAssembly.
By manipulating execution states between the JavaScript and WebAssembly stacks, attackers can alter execution flow and gain control over the entire call stack.
This allows for the construction of a ROP chain (Return-Oriented Programming) using system functions like VirtualProtect, enabling the attacker to mark memory as executable and run arbitrary shellcode.
Similar titles: Google Hit by Data Breach Following Salesforce Attacks
Step-by-Step Exploitation Process
The researchers released a proof-of-concept (PoC) with an HTML file and a JavaScript script using wasm-module-builder.js. The attack unfolds as follows:
- Type Enumeration: Two recursive type groups (t2null and t2nonnull) are created, differing only in nullability.
- Birthday Attack: A probabilistic attack forces a hash collision between the two types under MurmurHash64A.
- Type Confusion: ref null t1 is converted to ref t1, enabling out-of-bounds access to a large ArrayBuffer.
- Stack Manipulation: JSPI flaw allows attackers to jump across stack frames and execute code in unintended contexts.
- ROP Chain Construction: Injects gadget addresses (pop rax; jmp rax, VirtualProtect, etc.) to prep shellcode memory.
- Final Execution: Demonstrates full control by launching calc.exe in Windows.
The exploit was successfully tested on Chrome M137 prior to the release of Google’s fix.
Chrome RCE Vulnerability Exploit (Source: Cyber Security News)
Google’s Response
After responsible disclosure and public release of the exploit, Google issued an emergency patch now available in Chrome version M137.0.7151.57 (or newer).
The patch:
- Fixes nullability checks
- Restores SBX_CHECK controls in JSPI
- Strengthens internal V8 sandbox testing
Users should update Chrome immediately. To do this manually:
Settings → Help → About Google Chrome → Update Chrome
What Happens If You Don’t Update?
Because the exploit code is public and functional, attackers can quickly adapt it for malicious use.
Potential consequences include:
- Complete system takeover
- Silent malware or ransomware installation
- Theft of passwords and browser cookies
- Persistent remote access
This type of RCE exploit is highly valuable on dark web forums and cybercrime markets.
You might also be interested in: Google Tells You If Your Data Is on the Dark Web
Key Lessons from This Incident
- Even secure software needs frequent patching
- Public exploit release escalates the threat window
- Browsers are now prime attack vectors
- Security doesn’t end at patching—ongoing monitoring is vital
What Your Company Can Do
At TecnetOne, we recommend the following actions:
- Immediately update all corporate browsers to the latest version
- Enforce version control to ensure updates are applied
- Block outdated Chrome versions via GPO or MDM policies
- Use EDR/XDR tools to detect in-memory exploits
- Monitor processes like rundll32.exe, calc.exe, and use of VirtualProtect
- Train staff to never ignore browser or system updates
Prevention is your best defense against memory-based remote code execution threats.
Conclusion
The release of this Chrome exploit code shows how quickly a bug can escalate into a global threat. What began as a type validation issue evolved into a critical RCE flaw capable of granting full system access.
At TecnetOne, we remind you: cybersecurity is about prevention, not just response. Update policies, behavioral monitoring, and continuous threat awareness can mean the difference between safety and compromise.
Update now—because one click is all it takes.