🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

(CVE-2024-6779)[351327767][wasm][multi-memory]Wasm OOB memory access due to cached memory index confusion with multi-memory is now open with PoCs and exploit issues.chromium.org/issues/3513277… Xion P.S. I thank Seunghyun Lee for the analysis and recommend reading his great writeup.

Uploaded my slides from POC2024. I'll soon be giving a slightly shorter version of the same talk on CODE BLUE 2024 too. github.com/leesh3288/talk…

事必歸正

[$55000](CVE-2024-12381)[381696874][wasm]Type Confusion chromereleases.googleblog.com/2024/12/stable… Congrats Xion

🤔 [$55000](CVE-2024-12692)[382291459][wasm]Type Confusion in V8(comparison of canonical struct types) "Compare fields, including a check that the size is the same and compare mutabilities, skipping the check for the size" chromereleases.googleblog.com/2024/12/stable… chromium-review.googlesource.com/c/v8/v8/+/6074… Xion

(CVE-2024-9122)[365802567][$55000][wasm]WASM type confusion due to imported tag signature subtyping is now open with PoC and exploit(pops calc from a '--no-sandbox' renderer): issues.chromium.org/issues/3658025… Xion

📯 Announcing the top 20 Chrome VRP researchers for 2024: crbug.com/386306231 📯 Congratulations to everyone on the list! Many thanks and much gratitude to our entire Chrome VRP researcher community and helping us make Chrome Browser & Chromium more secure for all users! 🎊

Congrats to everyone! Honored to take the first place :)

Type confusion due to improper WASM module size check in `AsyncStreamingDecoder` (reward: $55000) crbug.com/368241697

I’m very excited to announce that we at V8 Security have finally published our first version of Fuzzilli that understands Wasm! Go check it out at github.com/googleprojectz…. While we still have a way to go in improving it, we think it shows a promising approach!

1dd74c287e26e36bb51fe792f1e91699d26dec2024804998ddb206981244eb50

Sure, renderer exploits are fun, but have you tried adding hash collision constraints to it? crbug.com/381696874 crbug.com/382291459

f0b22e429fa6c984f39a409744ff954d3a45d843edd29428ef3a68085d696a7d

I guess v8sbx bypass reports does not require reproducers for VRP? Which I thought wouldn't even be a valid report as in g.co/chrome/vrp/#v8… 🤔 e.g. crbug.com/390568183 vs crbug.com/390816209 which I had it early in my stash, only to dup with a report w/o a repro 🤦

The Chrome RCE has been verified! The disclosure process with the vendor is now in progress. Kudos on a sharp discovery #TyphoonCon25