RCE Exploit Released for Unpatched Chrome, Opera, and Brave Browsers

An Indian safety researcher has publicly printed a evidence-of-thought (PoC) exploit code for a newly found out flaw impacting Google Chrome and other Chromium-dependent browsers like Microsoft Edge, Opera, and Brave.

Unveiled by Rajvardhan Agarwal, the working exploit concerns a distant code execution vulnerability in the V8 JavaScript rendering motor that powers the website browsers and is considered to be the similar flaw shown by Dataflow Security’s Bruno Keith and Niklas Baumstark at Pwn2Possess 2021 hacking contest previous 7 days.

password auditor

Keith and Baumstark were awarded $100,000 for leveraging the vulnerability to operate malicious code inside of Chrome and Edge.

In accordance to the screenshot shared by Agarwal, the PoC HTML file, and its related JavaScript file, can be loaded in a Chromium-dependent browser to exploit the security flaw and launch the Windows calculator (calc.exe) application. But it can be well worth noting that the exploit wants to be chained with a different flaw that can let it to escape Chrome’s sandbox protections.


It appears that Agarwal was capable to set together the PoC by reverse-engineering the patch that Google’s Chromium staff pushed to the open up-supply element immediately after the specifics of the flaw were shared with the organization.

password auditor

“Having popped with our very own bugs wasn’t on my bingo card for 2021,” Baumstark tweeted. “Not guaranteed it was too intelligent of Google to increase that regression examination appropriate absent.”

Even though Google has addressed the challenge in the newest variation of V8, it is nevertheless to make its way to the steady channel, thus leaving the browsers susceptible to assaults. Google is predicted to ship Chrome 90 afterwards nowadays, but it really is not obvious if the launch will consist of a patch for the V8 flaw.

We have arrived at out to Google, and we will update the story if we listen to again.

Fibo Quantum