BRW-V8-TYPE-CONFUSIONExecution

V8 Type Confusion → JIT Exploitation

JavaScript bug confuses V8 about an object's shape; speculative JIT load reads from the wrong slot — primitive to addrof / fakeobj, then RCE in the renderer.

§ Where this technique fits

BRW-V8-TYPE-CONFUSION is catalogued under the Execution tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

V8 type-confusion 1-day → renderer RCE
Public V8 type-confusion turned into a renderer pop. JS triggers JIT into mis-compiling a polymorphic site, addrof/fakeobj primitives, shellcode in a WASM RWX page.
step 2 / 7

§ What commonly comes next

01
WebAssembly Bounds-Check Bypass
BRW-WASM-OOB · Execution
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

V8 type-confusion 1-day → renderer RCE

§ What commonly comes next