Share
## https://sploitus.com/exploit?id=3297FA74-345B-5662-AE60-ACE4BD802600
# CVE-2026-14431
## Bug fix
https://chromium-review.googlesource.com/c/v8/v8/+/7950517
```
[maglev] Check map of inlined array in ArrayIteratorPrototypeNext
Fixed: 523884658
Change-Id: I2a2bba817952d7023eb4b97ad41d8bb460fb9359
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7950517
Commit-Queue: Leszek Swirski
Reviewed-by: Leszek Swirski
Auto-Submit: Victor Gomes
Cr-Commit-Position: refs/heads/main@{#108053}
```
## Environment
**OS**: Ubuntu 24.04 noble x64
**v8 version**: 14.9.207.29
```
commit 6511f6cfab1f24c360d0fb737d205c27da48a623 (HEAD -> 14.9.207.29, tag: 14.9.207.29-pgo, tag: 14.9.207.29, origin/chromium/7827_155)
Author: V8 Autoroll
Date: Thu Jun 11 12:20:33 2026 -0700
Version 14.9.207.29
Version incremented at https://cr-buildbucket.appspot.com/build/8679264328861571937
Change-Id: I5634f3737fbc1d77d27f7563c2575894bdb203d3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7927432
Bot-Commit: v8-ci-autoroll-builder@chops-service-accounts.iam.gserviceaccount.com
Cr-Commit-Position: refs/branch-heads/14.9@{#57}
Cr-Branched-From: 8f08364a351ad38a60421137a09ef23953ecdd56-refs/heads/14.9.207@{#1}
Cr-Branched-From: 8de67b11924d5e8c0032029165a52d800cf05f1f-refs/heads/main@{#106999}
```
**build args**:
```
# Set build arguments here. See `gn help buildargs`.
is_debug = false
dcheck_always_on = false
v8_symbol_level = 2
v8_enable_object_print = true
v8_enable_sandbox = true
target_os = "linux"
target_cpu = "x64"
```
## Usage
Run the ExP with:
```bash
d8 --allow-natives-syntax exp.js
```
## Additional Notes
Since this vulnerability is relatively new, I have not yet identified a suitable V8 sandbox escape vulnerability to chain with it. The current PoC only provides read/write primitives within the V8 sandbox.
Research on the V8 sandbox escape portion is still in progress.