Authored by stratan At this point, we are still inside the V8 heap sandbox. CVE-2026-6307 gives us addrof, fakeobj, and in-cage read/write. For native code execution, we need a way out. We'll use Chromium bug 502229895 for that step. WasmFX is still an[...]

Authored by stratan In Part 1, we went over the background details that are needed to follow along, as well as the trigger specifics of the bug. In Part 2, we'll go through the relevant code paths, analyze[...]

Authored by stratan Summary CVE-2026-6307 is a V8 compiler bug in the metadata used to recover from optimized JS-to-Wasm calls. The upstream regression describes the bug as a missing signature comparison in FrameStateFunctionInfo::operator==. A type confusion in[...]