A critical remote code execution (RCE) flaw in Google Chrome has been publicly disclosed, and a proof-of-concept exploit is circulating. The vulnerability leverages a Wasm and JavaScript combo to achieve full stack control and spawn shellcode execution. Users must upgrade to Chrome version M137.0.7151.57 or later without delay.
Technical Exploit Breakdown & Risk Mechanism
Attackers exploit this vulnerability by targeting Chrome’s handling of suspended frames. They inject attacker-controlled values that bypass checks within Wasm’s nullability logic, causing out-of-bounds access into large ArrayBuffers. From there, they orchestrate a return-oriented programming (ROP) chain that invokes VirtualProtect on an RWX (read-write-execute) memory buffer, enabling arbitrary shellcode execution.
In one demonstration, the exploit script triggered calc.exe via crafted HTML and JavaScript. It includes an HTML file (exp.html) bundled with a wasm-module-builder.js that engineers type collisions, stack switching, and gadget sprays.
Interestingly, the vulnerability arises from a regression in nullability enforcement within V8’s JavaScript engine, restoring code paths that skip SBX_CHECK safety gates. Google has already committed a patch to reintroduce stricter safety and revert the problematic change.
Affected Versions & Patch Status
Chrome builds before M137.0.7151.57 (and equivalent stable channel builds) are vulnerable. Google’s patch addresses both the nullability logic and stack integrity checks in V8.
SecurityWeek confirms that this update is part of Chrome’s regular cycle but was expedited due to the exploit disclosure. Administrators managing Chrome fleets, especially in enterprise settings, must enforce immediate rollout and disable delayed upgrades for vulnerable channels.
Threat Model & Implications
This exploit requires the user to visit a malicious page or load a compromised web view no download or plugin is needed. Because it operates via Javascript/Wasm inside the browser, detection is difficult for traditional AV products.
The attacker can fully escape sandbox boundaries, execute system-level commands, and pivot within the host OS. In corporate environments, this risk can cascade: from web browsers to internal credentials, incident tooling, or lateral movement.
In short, this RCE is a remote zero-click path to system compromise. For high-value targets developers, admins, financial operators the window for exploitation is dangerous.
Mitigation Strategies & Defensive Actions
To mitigate this vulnerability effectively, organizations and Chrome users should:
-
Update immediately to Chrome M137.0.7151.57 or higher across all platforms (Windows, macOS, Linux).
-
Enforce auto-updates or centrally managed patch distribution in enterprise environments.
-
Isolate untrusted browsing by using browser sandboxing or containerized sessions for unknown sites.
-
Deploy web content filtering or sandbox profiles that block untrusted Wasm-heavy pages.
-
Monitor browser crash logs and telemetry for anomalies like unexpected frame suspensions or syscall counts.
-
Rotate session tokens, credentials, and local caches after patching to cut off possible residual access.
These steps combine rapid patching with architectural defense exactly what a defense-in-depth strategy demands in modern browser security.
FAQs
Q: Which Chrome versions are affected?
A: Chrome versions prior to M137.0.7151.57 (and matching stable builds) are vulnerable.
Q: How does the exploit execute shellcode?
A: It leverages Wasm and JavaScript to force out-of-bounds access, then uses a ROP chain and VirtualProtect to make memory executable.
Q: Does the user need to download something?
A: No. Just visiting a malicious web page or opening a crafted HTML file is sufficient.
Q: Can antivirus detect this exploit?
A: Likely not reliably the exploit executes within browser memory using permitted APIs, evading many signature-based defenses.
Q: What should organizations prioritize first?
A: Immediate patching across all Chrome endpoints and disabling open browsing to untrusted web content while rollout completes.
