Analysis updated 2026-05-18
Study how V8 JS-to-Wasm type confusion bugs work by tracing the flag-free addrof and fakeobj primitives in a local Chrome 146 environment.
Learn how browser exploit chains progress from type confusion to memory read and write to shellcode execution using the rce-no-aslr examples.
Use the differential reachability test to confirm whether a Chrome build has the CVE-2026-6307 patch applied.
| 0xsha/cve-2026-6307 | smallnest/goal-workflow | zhaochamyu/japaneseonchain | |
|---|---|---|---|
| Stars | 38 | 34 | 34 |
| Language | HTML | HTML | HTML |
| Setup difficulty | hard | easy | easy |
| Complexity | 5/5 | 2/5 | 1/5 |
| Audience | developer | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires Chrome 146 on x86_64 Linux, the full RCE demo also requires ASLR disabled and an X11 display.
CVE-2026-6307 is a publicly documented security vulnerability in Google Chrome's V8 JavaScript engine, patched in version 147. This repository is a researcher's proof-of-concept that reproduces the bug in a local lab environment, demonstrating the underlying memory corruption and using it to pop a calculator on screen, which is the conventional way researchers prove that code execution is possible. The bug lives in the part of V8 that handles calls between JavaScript and WebAssembly code. A flaw in how certain internal data structures are compared lets the compiler incorrectly merge two execution states that should be kept separate. When the code then falls back from optimized machine code to interpreted mode, it mixes up data types: what the engine treats as a 64-bit integer gets materialized as a pointer, and vice-versa. That mix-up is enough to read and write arbitrary memory addresses. The repository has two levels of demonstration. The first set of HTML files (flag-free/) works without any special browser flags, simulating a real attack against a normal browser install. These files prove the building-block steps: triggering the confusion, reading an object's address in memory, and writing a chosen value to a chosen location. The second set (rce-no-aslr/) chains those steps into shellcode execution, launching a calculator from inside the Chrome renderer process. That second set requires address randomization to be disabled, so it is a lab-only scenario. All payloads are intentionally harmless: a calculator, a process that exits with a specific code, or a loop that spins in place. The README explicitly says not to use any of this against anyone else, and everything runs against a deliberately outdated browser. The bug is fixed in Chrome 147. This is a security research resource for people studying browser exploit techniques, V8 memory corruption primitives, or how JavaScript engine optimizations can introduce security-relevant behavior.
A local-lab proof-of-concept for CVE-2026-6307, a Chrome V8 type confusion bug fixed in version 147 that allows arbitrary memory read and write, demonstrated by popping a calculator from the renderer process.
Mainly HTML. The stack also includes HTML, JavaScript, WebAssembly.
No license is stated, this is a security research proof-of-concept repository.
Setup difficulty is rated hard, with roughly 30min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.