V8

CVE-2023-4068 WASM Null vs JS Null Type Confusion () Bug Type V8 introduced a WASM null type for WebAssembly references while still keeping the JS null-value object. Some engine paths mistakenly treat the JS null-value as a WASM null. This type confusion allows reading or writing beyond the allocated JS null object. Commit 455d38ff8df7303474e8ead05cad659aac0a1bbc Bug Location From src/wasm/constant-expression-interface.cc: WasmValue DefaultValueForType(ValueType type, Isolate* isolate) { switch (type.kind()) { case kI32: case kI8: case kI16: return WasmValue(0); case kI64: return WasmValue(int64_t{0}); case kF32: return WasmValue(0....

CVE-2025-5419 Background Based on the ITW exploit (author unknown) found by Clement Lecigne and Benoît Sevens. Build Instructions Build d8 using: a) Run once git checkout 5c198837c21b9b6cde113c4cb35d00e6b368f9a5 gclient sync gn gen ./out/x64.debug gn gen ./out/x64.release b) Debug Build: You will need to patch the "ShouldZapGarbage" function in "./heap/zapping.h" to return false. This function returns false in release builds. ninja -C ./out/x64.debug d8 Release Build: ninja -C ./out/x64.release d8 Run with: C:\path\to\v8\v8\out\x64....

CVE-2025-5959 WebAssembly Type Canonicalization Bug CanonicalEquality::EqualValueType() Bug Type WebAssembly’s type canonicalization function (CanonicalEquality::EqualValueType()) (collapsing structurally equivalent types into a single unique form) does not take into account nullability (references that can be null) for references that are indexed (references that point to a previously defined type by index, like ref $t1). This causes one fatal flaw, the engine can’t tell the difference between a nullable type like ref null $t1 and a non-nullable one like ref $t1 for indexed reference types inside a type definition....