CVE-2017-15428

HIGH

Google Chrome < 62.0.3202.94 - Remote Code Execution via V8 Builtins String Generator

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-15428. PoCs published by w1ldb1t.

AI-analyzed exploit summary This repository contains a working exploit for CVE-2017-15428, a V8 JavaScript engine vulnerability. The exploit leverages a type confusion bug to achieve remote code execution (RCE) via crafted JavaScript, including shellcode for executing commands like '/bin/sh' and '/usr/bin/id'.

Description

Insufficient data validation in V8 builtins string generator could lead to out of bounds read and write access in V8 in Google Chrome prior to 62.0.3202.94 and allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

Exploits (1)

nomisec WORKING POC
by w1ldb1t · poc
https://github.com/w1ldb1t/CVE-2017-15428

This repository contains a working exploit for CVE-2017-15428, a V8 JavaScript engine vulnerability. The exploit leverages a type confusion bug to achieve remote code execution (RCE) via crafted JavaScript, including shellcode for executing commands like '/bin/sh' and '/usr/bin/id'.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Chromium/Chrome V8 JavaScript engine (versions prior to fix)
No auth needed
Prerequisites: Victim must visit a malicious webpage or execute crafted JavaScript · Target must be running a vulnerable version of Chromium/Chrome
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Issue Tracking x_refsource_misc
https://crbug.com/782145

Scores

CVSS v3 8.8
EPSS 0.1812
EPSS Percentile 96.8%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-125 CWE-787
Status published
Products (1)
google/chrome < 62.0.3202.94
Published Jan 09, 2019
Tracked Since Feb 18, 2026