{"id":23422,"date":"2025-12-11T08:00:01","date_gmt":"2025-12-11T01:00:01","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&#038;p=23422"},"modified":"2026-01-20T10:24:20","modified_gmt":"2026-01-20T03:24:20","slug":"rce-in-chrome","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/rce-in-chrome\/","title":{"rendered":"RCE in Chrome: A hacker just needs you to open a webpage!"},"content":{"rendered":"<div id=\"post-content-wrapper\" class=\"prose prose-base mx-auto mb-10 min-h-30 break-words dark:prose-dark lg:prose-lg\">\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Recently, a dangerous vulnerability was discovered in\u00a0<strong>Google Chrome&#8217;s JavaScript V8<\/strong>\u00a0that allows attackers to execute arbitrary remote code on target systems. This vulnerability originates from a\u00a0<strong>flaw in the type canonicalization of WebAssembly (Wasm)<\/strong>, specifically in the function <code>CanonicalEquality::EqualValueType()<\/code>\u2014which involves comparing and &#8220;normalizing&#8221; Wasm data types.<\/span><\/p>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/11-1764144918.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23427\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/11-1764144918.jpg\" alt=\"11 1764144918\" width=\"1200\" height=\"901\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/11-1764144918.jpg 1200w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/11-1764144918-700x526.jpg 700w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" \/><\/a><\/p>\n<h2 id=\"heading-main-impact\" class=\"permalink-heading\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Main Impact<\/strong><\/span><\/h2>\n<ul>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Remote code execution<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Bypass browser sandbox<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Automation and mass exploitation<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Affect users and businesses<\/span><\/li>\n<\/ul>\n<h2 id=\"heading-exploit-details\" class=\"permalink-heading\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Exploit Details<\/strong><\/span><\/h2>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">As mentioned, this vulnerability exists due to a logic error in type checking between\u00a0<code>ref t<\/code>\u00a0and\u00a0<code>ref null t<\/code>. Additionally, the\u00a0<strong>lack of accurate hash checking<\/strong>\u00a0when canonicalizing recursive types in Wasm also contributes to this vulnerability, allowing attackers to successfully perform RCE on your system. This issue also raises the risk of two previously exploited zero-day vulnerabilities:\u00a0<strong>CVE-2024-12381 and CVE-2024-12692<\/strong>.<\/span><\/p>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/2-1764144917.jpeg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23426\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/2-1764144917.jpeg\" alt=\"2 1764144917\" width=\"1111\" height=\"191\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/2-1764144917.jpeg 1111w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/2-1764144917-700x120.jpeg 700w\" sizes=\"(max-width: 1111px) 100vw, 1111px\" \/><\/a><\/p>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">First, the attacker will create a memory area that can be read and written out of bounds (OOB). Specifically, in WebAssembly&#8217;s\u00a0<code>CanonicalEqualityEqualValueType<\/code>, there is an incorrect distinction between\u00a0<code>ref t<\/code>\u00a0and\u00a0<code>ref null t<\/code>\u00a0in the recursive type group. If the attacker provides recursive type structures that are similar but differ only in nullability, the system will hash them to the same value (since MurmurHash does not account for nullability).<\/span><\/p>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/3-1764144908.jpeg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23423\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/3-1764144908.jpeg\" alt=\"3 1764144908\" width=\"763\" height=\"264\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/3-1764144908.jpeg 763w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/3-1764144908-700x242.jpeg 700w\" sizes=\"(max-width: 763px) 100vw, 763px\" \/><\/a><\/p>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Moving on to the stage of creating OOB and gaining control. The attacker&#8217;s goal is to exploit type confusion to turn an object\u00a0<code>ref null t<\/code>\u00a0into\u00a0<code>ref t<\/code>, which will cause access errors and thereby grant free read or write access on\u00a0<code>ArrayBuffer<\/code>.<\/span><\/p>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">In detail with this campaign, the attacker will create a fake object in memory and force WebAssembly to execute a function with the wrong type object without crashing.<\/span><\/p>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/4-1764144909.jpeg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23424\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/4-1764144909.jpeg\" alt=\"4 1764144909\" width=\"466\" height=\"98\" \/><\/a><\/p>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">The next and most important step is to perform &#8220;<strong>Bypass Sandbox (escape V8 sandbox).<\/strong>&#8221; The attacker will exploit the\u00a0<code>JSPI<\/code>\u00a0(JavaScript Promise Integration) mechanism and use the Promise stack to switch frames, creating &#8220;empty&#8221; (suspended) frames to escape the V8 sandbox and execute native code. Naturally, after successfully bypassing,\u00a0<strong>VirtualProtect<\/strong>\u00a0will be called to execute the shellcode.<\/span><\/p>\n<p><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/5-1764144909.jpeg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-23425\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/5-1764144909.jpeg\" alt=\"5 1764144909\" width=\"740\" height=\"233\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/5-1764144909.jpeg 740w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/2025\/11\/5-1764144909-700x220.jpeg 700w\" sizes=\"(max-width: 740px) 100vw, 740px\" \/><\/a><\/p>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Finally, of course, is executing the shellcode. The attacker will call\u00a0<code>VirtualProtect<\/code>\u00a0to set the\u00a0<code>RWX<\/code>\u00a0(read-write-execute) permissions. Then they will copy the executable code or payload into that memory area and run a\u00a0<code>calc.exe<\/code>\u00a0process to execute arbitrary code on the target system.<\/span><\/p>\n<h2 id=\"heading-conclusion\" class=\"permalink-heading\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Conclusion<\/strong><\/span><\/h2>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">The\u00a0<strong>RCE vulnerability bypassing the sandbox in Google Chrome through<\/strong>\u00a0<code>CanonicalEquality::EqualValueType()<\/code>\u00a0clearly demonstrates how\u00a0<strong>complex logic errors in type handling (type canonicalization)<\/strong>\u00a0can lead to\u00a0<strong>remote code execution at the system level<\/strong>, especially when combined with\u00a0<strong>sophisticated sandbox bypass techniques<\/strong>\u00a0like\u00a0<strong>JSPI stack switching<\/strong>.<\/span><\/p>\n<p><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Users and organizations need to have a\u00a0<strong>quick response strategy<\/strong>, especially in environments using WebAssembly or sandboxes. This vulnerability is not just a technical issue but also a warning about how small details in system logic can be exploited to break through the biggest security barriers.<\/span><\/p>\n<h2 id=\"heading-recommendations\" class=\"permalink-heading\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Recommendations<\/strong><\/span><\/h2>\n<ol>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Update Google Chrome immediately<\/strong><\/span>\n<ul>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Check and ensure the browser is on the\u00a0<strong>latest version<\/strong>\u00a0(at least above M137 with the official patch if available).<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Visit:\u00a0<code>chrome:\/\/settings\/help<\/code>\u00a0to manually check and update.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Do not use Chrome with the<\/strong>\u00a0<code>--no-sandbox<\/code>\u00a0<strong>option<\/strong><\/span>\n<ul>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Some users (especially devs or in Docker environments) launch Chrome with the\u00a0<code>--no-sandbox<\/code>\u00a0flag to avoid errors. This is\u00a0<strong>extremely dangerous<\/strong>\u00a0when there is an RCE vulnerability.<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Remove this flag from all configurations (e.g., CI\/CD scripts, Dockerfile, shortcuts\u2026).<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Disable JavaScript or WebAssembly when not necessary<\/strong><\/span>\n<ul>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">If browsing in high-risk environments (bug bounty, darknet, etc.), consider using extensions:<\/span>\n<ul>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>NoScript<\/strong>\u00a0or\u00a0<strong>uBlock Origin<\/strong>\u00a0to block untrusted scripts\/WebAssembly.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">You can configure to block Wasm via\u00a0<code>chrome:\/\/flags<\/code>:<\/span>\n<ul>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Search for\u00a0<code>\"WebAssembly\"<\/code>\u00a0and manually disable items like\u00a0<code>\"WebAssembly Garbage Collection\"<\/code>\u00a0if needed.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Configure systems to monitor suspicious behavior<\/strong><\/span>\n<ul>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Monitor unusual activities such as:<\/span>\n<ul>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Accessing unreasonable memory addresses from Chrome.<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Unusual resource spikes when loading pages.<\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\">Unusual WebAssembly data in traffic (via proxy\/business IDS).<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Do not open strange links<\/strong>, especially HTML links sent via email\/chat.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p id=\"heading-reference\" class=\"permalink-heading\"><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><strong>Reference<\/strong><\/span><\/p>\n<ol>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/cybersecuritynews.com\/google-chrome-rce-vulnerability\/#google_vignette\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/cybersecuritynews.com\/google-chrome-rce-vulnerability\/#google_vignette<\/a><\/span><\/li>\n<li><span style=\"font-size: 12pt;font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/ssd-disclosure.com\/google-chrome-rce-no-sandbox-via-canonicalequalityequalvaluetype\/\" target=\"_blank\" rel=\"noopener nofollow\">Google Chrome RCE (no sandbox) via CanonicalEquality::EqualValueType() &#8211; SSD Secure Disclosure<\/a><\/span><\/li>\n<\/ol>\n<\/div>\n<div class=\"-mt-5 mb-10\">\n<table style=\"border-collapse: collapse;width: 100%\">\n<tbody>\n<tr>\n<td style=\"width: 100%\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong class=\"custom-cursor-default-hover default_cursor_land\">Exclusive article by FPT IS Technology Experts<\/strong><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><em class=\"custom-cursor-default-hover default_cursor_land\">Luu Tuan Anh \u2013 FPT IS Cyber Security Center<\/em><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n","protected":false},"author":21,"featured_media":23428,"parent":0,"template":"","nang_luc":[790,821],"danh_muc_goc_nhin_so":[789],"dich_vu":[712],"linh_vuc":[],"platform":[],"san_pham":[],"the_goc_nhin_so":[],"class_list":["post-23422","goc_nhin_so","type-goc_nhin_so","status-publish","has-post-thumbnail","hentry","nang_luc-experts-sharing","nang_luc-security","danh_muc_goc_nhin_so-expert-sharing","dich_vu-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so\/23422","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so"}],"about":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/types\/goc_nhin_so"}],"author":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/users\/21"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media\/23428"}],"wp:attachment":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media?parent=23422"}],"wp:term":[{"taxonomy":"nang_luc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/nang_luc?post=23422"},{"taxonomy":"danh_muc_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/danh_muc_goc_nhin_so?post=23422"},{"taxonomy":"dich_vu","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/dich_vu?post=23422"},{"taxonomy":"linh_vuc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/linh_vuc?post=23422"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/platform?post=23422"},{"taxonomy":"san_pham","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/san_pham?post=23422"},{"taxonomy":"the_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/the_goc_nhin_so?post=23422"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}