Google Chromium V8 Out-of-Bounds Read/Write — Crash PoC (CVE-2026-11645)
by Google/Chromium (advisory); 0xBlackash (crash PoC) · 2026-07-01
- Severity
- High
- CVE
- CVE-2026-11645
- Category
- web
- Affected product
- Google Chrome / Chromium — V8 JavaScript and WebAssembly engine
- Affected versions
- Chrome prior to 149.0.7827.103
- Disclosed
- 2026-07-01
- Patch status
- unpatched
Tags
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-07-01 |
| Last Updated | 2026-06 |
| Author / Researcher | Google/Chromium (advisory); 0xBlackash (crash PoC) |
| CVE / Advisory | CVE-2026-11645 |
| Category | web |
| Severity | High |
| CVSS Score | 8.8 (CVSSv3) |
| Status | Incomplete PoC (crash only — no confirmed public RCE chain) |
| Tags | browser, chrome, v8, javascript, turbofan, out-of-bounds, memory-corruption, zero-day, incomplete-poc, active-exploitation |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | Google Chrome / Chromium — V8 JavaScript and WebAssembly engine |
| Versions Affected | Chrome prior to 149.0.7827.103 |
| Language / Platform | HTML/JavaScript |
| Authentication Required | No |
| Network Access Required | No (local file) — real-world delivery would be via a crafted web page |
Summary
CVE-2026-11645 is a high-severity out-of-bounds read/write vulnerability in V8, the JavaScript/WebAssembly engine used by Chrome and other Chromium-based browsers. The bug is rooted in V8’s TurboFan optimizer: incorrect range analysis for loop-modified or bitwise-manipulated values can cause the compiler to wrongly eliminate runtime bounds checks on array accesses, and a related trigger involves stale ElementsKind assumptions after array layout transitions. Google has confirmed exploitation exists in the wild but has not published root-cause implementation details, and no fully weaponized public RCE PoC has been found. This repository is a browser-crash / instability demonstrator only — it identifies vulnerable Chrome versions and triggers a repeated class-extension-with-type-change pattern intended to induce V8 memory corruption, but it does not include a working sandbox-escape or code-execution chain.
Vulnerability Details
Root Cause
TurboFan’s range analysis for loop-modified/bitwise-manipulated values can incorrectly eliminate bounds checks on typed/regular array accesses, and stale ElementsKind assumptions after an array’s backing-store layout transitions can compound the issue, producing out-of-bounds reads/writes in JIT-compiled code.
Attack Vector (as publicly understood — not fully reproduced by this PoC)
- Victim loads a crafted web page in a vulnerable Chrome build.
- JavaScript on the page trains TurboFan via repeated execution to JIT-optimize a function with the vulnerable range-analysis pattern.
- A subsequent call with attacker-controlled values causes the JIT to skip a bounds check, corrupting adjacent heap memory.
- Full exploitation would require further primitives (addr-of/fake-obj, sandbox escape) not present in this PoC.
Impact
Confirmed in-the-wild exploitation per Google, believed to enable code execution inside the browser sandbox. This archived PoC demonstrates browser instability/crash only.
Environment / Lab Setup
Target: Google Chrome < 149.0.7827.103
Attacker: Any HTTP server or local file:// delivery of CVE-2026-11645.html
Proof of Concept
PoC File
See
CVE-2026-11645.htmlin this folder.
Open the HTML file in a vulnerable Chrome build; it includes a version-check button and a trigger button. The trigger routine repeatedly instantiates a class extending Function while changing a property value from an integer to a floating-point number, attempting to induce the TurboFan range-analysis bug and crash the renderer.
This PoC demonstrates instability/crash behavior only — it is not a working code-execution exploit.
Detection & Indicators of Compromise
Signs of compromise:
- Chrome crash reports referencing V8/TurboFan in the stack trace
- Endpoint EDR alerts for renderer-process anomalies following web browsing
Remediation
| Action | Detail |
|---|---|
| Primary fix | Update Chrome to 149.0.7827.103 or later |
| Mitigation | Enable/verify auto-update; consider Site Isolation and sandboxing hardening in managed environments |
References
Notes
Auto-ingested from https://github.com/0xBlackash/CVE-2026-11645 on 2026-07-01. Caution: Google has not disclosed root-cause exploitation details for this actively-exploited bug, and this is the only public repository found for the CVE. It is a crash/instability demonstrator, not a validated weaponized exploit — treat any claims of a full sandbox-escape/RCE PoC for this CVE with skepticism until corroborated by a named security researcher or vendor writeup.
| |