What starting position does this attack require?

The first step is Code-exec in renderer process (T1190) — a initial access primitive. Assumed environment: target user runs an outdated browser.

What is the final impact of this kill-chain?

The final step lands on Sandbox escape via Mojo IPC (BRW-CHROME-IPC), which falls under Privilege Escalation. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 7 steps · 6 edges

Approved

V8 type-confusion 1-day → renderer RCE

Public V8 type-confusion turned into a renderer pop. JS triggers JIT into mis-compiling a polymorphic site, addrof/fakeobj primitives, shellcode in a WASM RWX page.

Filed by AD Knowledge BasePublished 2026-05-27

§ Kill-chainDrag · zoom · scroll

Initial Access

Code-exec in renderer process

T1190 · Exploit Public-Facing Application

Persistence

Drop user-context implant

T1547 · Boot or Logon Autostart Execution

Initial Access

Lure victim to attacker page

T1566 · Phishing

Execution

Achieve addrof + fakeobj

BRW-V8-TYPE-CONFUSION · V8 Type Confusion → JIT Exploitation

Execution

Trigger V8 type confusion

BRW-V8-TYPE-CONFUSION · V8 Type Confusion → JIT Exploitation

Execution

WASM JIT RWX page → shellcode

BRW-WASM-OOB · WebAssembly Bounds-Check Bypass

Privilege Escalation

Sandbox escape via Mojo IPC

BRW-CHROME-IPC · Chromium Mojo IPC Confused-Deputy

§ Context

Assumed environment: target user runs an outdated browser. Attacker hosts the exploit on a malicious page (or compromised legitimate site). N-day chain is reproducible and well-documented.

§ Steps

01
Code-exec in renderer processInitial Access
T1190— Exploit Public-Facing Application
02
Drop user-context implantPersistence
T1547— Boot or Logon Autostart Execution
03
Lure victim to attacker pageInitial Access
T1566— Phishing
04
Achieve addrof + fakeobjExecution
BRW-V8-TYPE-CONFUSION— V8 Type Confusion → JIT Exploitation
05
Trigger V8 type confusionExecution
BRW-V8-TYPE-CONFUSION— V8 Type Confusion → JIT Exploitation
06
WASM JIT RWX page → shellcodeExecution
BRW-WASM-OOB— WebAssembly Bounds-Check Bypass
07
Sandbox escape via Mojo IPCPrivilege Escalation
BRW-CHROME-IPC— Chromium Mojo IPC Confused-Deputy

§ References

§ Frequently asked

What is the "V8 type-confusion 1-day → renderer RCE" attack path?: Public V8 type-confusion turned into a renderer pop. JS triggers JIT into mis-compiling a polymorphic site, addrof/fakeobj primitives, shellcode in a WASM RWX page. It chains 7 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Code-exec in renderer process (T1190) — a initial access primitive. Assumed environment: target user runs an outdated browser.
What is the final impact of this kill-chain?: The final step lands on Sandbox escape via Mojo IPC (BRW-CHROME-IPC), which falls under Privilege Escalation. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

V8 type-confusion 1-day → renderer RCE

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Rowhammer → bit flip → in-browser sandbox escape

OneNote .one attachment → embedded payload → C2