🔥Telegram İfşa

Google Chrome V8 ArrayShift Race Condition Remote Code Execution blog.exodusintel.com/2023/05/16/goo…

😍 New RCA! The v8 security team is at it again with a new RCA for CVE-2022-4262, the #itw0days patched in December 2022. I really like how they modified the fuzzing flag to better find this class of bugs! Thank you Samuel Groß! 🔥 googleprojectzero.github.io/0days-in-the-w…

Root Cause Analysis - CVE-2023-32439 Type Confusion in Webkit - blog.pksecurity.io/2023/07/07/cve… #BrowserSecurity #bugbountytips #WebKit

interesting, but also how slow is it? googleprojectzero.blogspot.com/2023/08/mte-as…

I have completed the FORCED ENTRY RCE + SBX chain with a PAC bypass. The calculator payload can be found here: github.com/jeffssh/CVE-20…. I learned a lot about iOS exploitation and can't wait to share that in a blog post, which I'll release along with the code to generate this PDF.

牛蛙

"The WebP 0day" -- a full technical analysis the recently patched vulnerability in the WebP image library that was exploited in the wild (CVE-2023-4863). blog.isosceles.com/the-webp-0day/

In this post I'll use CVE-2023-3420, an incorrect side effect modelling bug in the JIT compiler that I reported to Chrome, to gain a sandboxed remote code execution in the renderer: github.blog/2023-09-26-get…

In this post I'll use CVE-2023-4069, a type confusion bug in the Maglev JIT compiler of Chrome that I reported in July, to gain RCE in the Chrome renderer sandbox: github.blog/2023-10-17-get…

After 3 years, we finally managed to write our first blog post about a powerful XNU infoleak patched in 17.1 blog.dfsec.com/ios/2023/11/19…

Another exciting step for the V8 sandbox: with crrev.com/c/5007733 (in Chrome 121) BytecodeArrays are now the first internal objects to move out of the sandbox and into the new trusted heap space: docs.google.com/document/d/1Ir…!

🪲 New RCA up for CVE-2021-4102 by @btiszka! It's a wild one in Chrome's Turbofan #itw0days googleprojectzero.github.io/0days-in-the-w…

wingolog.org/archives/2023/… The last 5 years of V8's garbage collector

CVE-2023-6702: Type Confusion in V8(CaptureAsyncStackTrace). [1501326]Fix the case when the closure has run We were using the closure pointing to NativeContext as a marker that the closure has run, but async stack trace code was confused about it. chromium.googlesource.com/v8/v8.git/+/bd…

Finally got around to publishing the slides of my talk offensivecon from ~two weeks ago. Sorry for the delay! The V8 Heap Sandbox: saelo.github.io/presentations/… Fantastic conference, as usual! :)

In this post I'll use CVE-2024-3833, a type confusion in v8 to gain remote code execution in the Chrome renderer sandbox: github.blog/2024-06-26-att…

Excited to be nominated for the Best RCE of 2024 Pwnie Awards🥰.

chromereleases.googleblog.com/2025/08/stable… [N/A][436181695] High CVE-2025-9132: Out of bounds write in V8. Reported by Google Big Sleep on 2025-08-04 TL;DR: Repro extremely short, bug very easily exploitable for a renderer RCE. Big Sleep is interesting indeed :)