🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

Here are the slides from my #Zer0con2019 talk about TurboFan (Chrome's javascript compiler). If you have any questions, please leave a comment in the slides and I'll try to explain it in the speaker's notes. docs.google.com/presentation/d…

Here are the slides for my keynote, 'Mobile Exploitation, the past, present, and the future' at #Zer0Con2023. Zer0con was a blast as always, thank you POC_Crew 👨‍👩‍👦‍👦!! 🚀💫 github.com/externalist/pr…

🔥🔥🔥 [$55000](CVE-2024-8904)[365376497][wasm][jspi]JSPI stack switching breaks lazy deoptimization guarantees -> type confusion in V8 is now open with PoC(bypass stable map code dependencies) and exploit(rce + v8sbx escape[361862752]) issues.chromium.org/issues/3653764…

[361862752]Compiled JS-to-WASM wrappers don't guard against `trusted_function_data` overwrites(v8sbx escape) issues.chromium.org/issues/3618627… PoC: issues.chromium.org/action/issues/… PoC(changed the SFI pointer offset from 0x14 to 0x10) issues.chromium.org/action/issues/… Reported by Matthias Pleschinger

😅 Exploit chain: CVE-2024-12053 + 361862752(rce + v8sbx escape), exploited ITW issues.chromium.org/issues/3790091… issues.chromium.org/issues/3618627…

Exploited ITW (CVE-2025-5419)[420636529][turbofan]OOBRW chromium-review.googlesource.com/c/v8/v8/+/6594… chromereleases.googleblog.com/2025/06/stable… Reported by Clément Lecigne(clem1) and Benoît Sevens

Cengiz Can Apparently won't get a CVE, they don't assign CVEs for Spectre issues

If you look at v8ctf public submissions, specifically for 2025, then in almost six months only 5 have been confirmed (two of which are 0-day) And in general, there have been few serious problems in v8 so far (only one 0-day ITW + one N-day ITW full-chain) docs.google.com/spreadsheets/d…

gitee.com/openharmony/se…

RE: CVE-2025-5419 - vuln allows you to read uninitialized memory by removing an initializing store.

The embargo (12:00 UTC 2025-06-10) is over, let's start a thread on Hydroph0bia (CVE-2025-4275), a trivial SecureBoot and FW updater signature bypass in almost any Insyde H2O-based UEFI firmware used since 2012 and still in use today. English writeup: coderush.me/hydroph0bia-pa…

[420697566][*lev] Identities nodes can have identity as input chromium-review.googlesource.com/c/v8/v8/+/6607…

[422822350][turbofan] Weaken overzealous dcheck chromium-review.googlesource.com/c/v8/v8/+/6632…

[423050527][turbolev] Fix computation of dematerialized objects IDs chromium.googlesource.com/v8/v8/+/22daaf… Regress test: ./d8 --allow-natives-syntax --turbolev chromium.googlesource.com/v8/v8/+/22daaf…

[408962793][heap] Replace kMaxSize/kMinSize constants with methods chromium-review.googlesource.com/c/v8/v8/+/6632…

[$5000][385775375][sandbox]Changing the element type of an array before it is sorted may cause an OOBW -> v8sbx violation issues.chromium.org/issues/3857753… Reported by v8sbxfuzz

This is interesting. I exploited and reported this kernel bug at pwn2own in March last year and it got patched after more than half a year in Oct. And to this day, there is no mention that it is exploitable. Btw, the patch only reduces race window. github.com/torvalds/linux…

(CVE-2025-5958)[$8000][420150619] UAF in Media Reported by Huang Xilin of Ant Group Light-Year Security Lab chromereleases.googleblog.com/2025/06/stable… Disable DelayStopForMediaElementSourceNode feature chromium-review.googlesource.com/c/chromium/src…