explaingit

0xsha/cve-2026-6307

Analysis updated 2026-05-18

38HTMLAudience · developerComplexity · 5/5Setup · hard

TLDR

A local-lab proof-of-concept for CVE-2026-6307, a Chrome V8 type confusion bug fixed in version 147 that allows arbitrary memory read and write, demonstrated by popping a calculator from the renderer process.

Mindmap

mindmap
  root((CVE-2026-6307))
    The Bug
      V8 JS-to-Wasm confusion
      Missing signature compare
      Type mix-up on deopt
    Primitives
      addrof read address
      fakeobj write address
      Out-of-cage store
    RCE Demo
      Shellcode as JIT literals
      Calculator pops on screen
      No-ASLR lab only
    Scope
      Chrome 146 affected
      Fixed in Chrome 147
      Benign payloads only
    Audience
      Security researchers
      Browser exploit students
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Study how V8 JS-to-Wasm type confusion bugs work by tracing the flag-free addrof and fakeobj primitives in a local Chrome 146 environment.

USE CASE 2

Learn how browser exploit chains progress from type confusion to memory read and write to shellcode execution using the rce-no-aslr examples.

USE CASE 3

Use the differential reachability test to confirm whether a Chrome build has the CVE-2026-6307 patch applied.

What is it built with?

HTMLJavaScriptWebAssemblyV8

How does it compare?

0xsha/cve-2026-6307smallnest/goal-workflowzhaochamyu/japaneseonchain
Stars383434
LanguageHTMLHTMLHTML
Setup difficultyhardeasyeasy
Complexity5/52/51/5
Audiencedeveloperdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 30min

Requires Chrome 146 on x86_64 Linux, the full RCE demo also requires ASLR disabled and an X11 display.

No license is stated, this is a security research proof-of-concept repository.

In plain English

CVE-2026-6307 is a publicly documented security vulnerability in Google Chrome's V8 JavaScript engine, patched in version 147. This repository is a researcher's proof-of-concept that reproduces the bug in a local lab environment, demonstrating the underlying memory corruption and using it to pop a calculator on screen, which is the conventional way researchers prove that code execution is possible. The bug lives in the part of V8 that handles calls between JavaScript and WebAssembly code. A flaw in how certain internal data structures are compared lets the compiler incorrectly merge two execution states that should be kept separate. When the code then falls back from optimized machine code to interpreted mode, it mixes up data types: what the engine treats as a 64-bit integer gets materialized as a pointer, and vice-versa. That mix-up is enough to read and write arbitrary memory addresses. The repository has two levels of demonstration. The first set of HTML files (flag-free/) works without any special browser flags, simulating a real attack against a normal browser install. These files prove the building-block steps: triggering the confusion, reading an object's address in memory, and writing a chosen value to a chosen location. The second set (rce-no-aslr/) chains those steps into shellcode execution, launching a calculator from inside the Chrome renderer process. That second set requires address randomization to be disabled, so it is a lab-only scenario. All payloads are intentionally harmless: a calculator, a process that exits with a specific code, or a loop that spins in place. The README explicitly says not to use any of this against anyone else, and everything runs against a deliberately outdated browser. The bug is fixed in Chrome 147. This is a security research resource for people studying browser exploit techniques, V8 memory corruption primitives, or how JavaScript engine optimizations can introduce security-relevant behavior.

Copy-paste prompts

Prompt 1
Walk me through how the CVE-2026-6307 type confusion in V8 works: what is JSToWasmFrameStateFunctionInfo, what comparison is missing, and how does that lead to addrof and fakeobj primitives?
Prompt 2
I want to run the flag-free primitives in Chrome 146 headlessly on Linux. Show me the exact command to load 01-primitives-flagfree.html and verify the addrof result.
Prompt 3
Explain how the rce-no-aslr exploit stages shellcode as JIT double literals and patches the code page. Walk through the key steps in exploit-calc.html.
Prompt 4
How does the confused store in flag-free/02-store-flagfree.html bypass V8's pointer cage, and what does out-of-cage store mean in terms of V8 sandbox hardening?
Prompt 5
I want to replace xcalc with a custom payload. What does pocmode.sh change and where in the exploit chain does the execve path get set?

Frequently asked questions

What is cve-2026-6307?

A local-lab proof-of-concept for CVE-2026-6307, a Chrome V8 type confusion bug fixed in version 147 that allows arbitrary memory read and write, demonstrated by popping a calculator from the renderer process.

What language is cve-2026-6307 written in?

Mainly HTML. The stack also includes HTML, JavaScript, WebAssembly.

What license does cve-2026-6307 use?

No license is stated, this is a security research proof-of-concept repository.

How hard is cve-2026-6307 to set up?

Setup difficulty is rated hard, with roughly 30min to a first successful run.

Who is cve-2026-6307 for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub 0xsha on gitmyhub

Verify against the repo before relying on details.