Share
## https://sploitus.com/exploit?id=3297FA74-345B-5662-AE60-ACE4BD802600
# CVE-2026-14431
## Bug fix
https://chromium-review.googlesource.com/c/v8/v8/+/7950517
```
[maglev] Check map of inlined array in ArrayIteratorPrototypeNext

Fixed: 523884658
Change-Id: I2a2bba817952d7023eb4b97ad41d8bb460fb9359
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7950517
Commit-Queue: Leszek Swirski 
Reviewed-by: Leszek Swirski 
Auto-Submit: Victor Gomes 
Cr-Commit-Position: refs/heads/main@{#108053}
```

## Environment
**OS**: Ubuntu 24.04 noble x64

**v8 version**: 14.9.207.29
```
commit 6511f6cfab1f24c360d0fb737d205c27da48a623 (HEAD -> 14.9.207.29, tag: 14.9.207.29-pgo, tag: 14.9.207.29, origin/chromium/7827_155)
Author: V8 Autoroll 
Date:   Thu Jun 11 12:20:33 2026 -0700

    Version 14.9.207.29
    
    Version incremented at https://cr-buildbucket.appspot.com/build/8679264328861571937
    
    Change-Id: I5634f3737fbc1d77d27f7563c2575894bdb203d3
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7927432
    Bot-Commit: v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com 
    Cr-Commit-Position: refs/branch-heads/14.9@{#57}
    Cr-Branched-From: 8f08364a351ad38a60421137a09ef23953ecdd56-refs/heads/14.9.207@{#1}
    Cr-Branched-From: 8de67b11924d5e8c0032029165a52d800cf05f1f-refs/heads/main@{#106999}


```
**build args**:
```
# Set build arguments here. See `gn help buildargs`.
is_debug = false
dcheck_always_on = false
v8_symbol_level = 2
v8_enable_object_print = true
v8_enable_sandbox = true
target_os = "linux"
target_cpu = "x64"
```
## Usage

Run the ExP with:

```bash
d8 --allow-natives-syntax exp.js
```

## Additional Notes

Since this vulnerability is relatively new, I have not yet identified a suitable V8 sandbox escape vulnerability to chain with it. The current PoC only provides read/write primitives within the V8 sandbox.

Research on the V8 sandbox escape portion is still in progress.