CVE-2018-17463

HIGH KEV

Google Chrome < 70.0.3538.64 - Remote Code Execution via V8 Side Effect Annotation

Title source: llm

Exploitation Summary

CVE-2018-17463 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 8, 2022. EIP tracks 4 public exploits from researchers including Metasploit, jhalon, kdmarti2, including a Metasploit module exploits/multi/browser/chrome_object_create.

AI-analyzed exploit summary This Metasploit module exploits a type confusion vulnerability in Google Chrome's JIT compiler (CVE-2018-17463) by manipulating Object.create to confuse PropertyArray and NameDictionary types, leading to arbitrary memory read/write and RCE in the sandboxed renderer process.

Description

Incorrect side effect annotation in V8 in Google Chrome prior to 70.0.3538.64 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/48184

View Code ZIP pw:eip

This Metasploit module exploits a type confusion vulnerability in Google Chrome's JIT compiler (CVE-2018-17463) by manipulating Object.create to confuse PropertyArray and NameDictionary types, leading to arbitrary memory read/write and RCE in the sandboxed renderer process.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Google Chrome 67, 68, 69

No auth needed

Prerequisites: Browser must be run with --no-sandbox flag

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 11 stars

by jhalon · client-side

https://github.com/jhalon/CVE-2018-17463

View Code ZIP pw:eip

This is a working proof-of-concept exploit for CVE-2018-17463, leveraging a type confusion vulnerability in V8 to achieve arbitrary memory read/write and execute shellcode via WebAssembly RWX pages. The exploit demonstrates a full chain from primitive development to RCE by popping a calculator.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: V8 JavaScript Engine (Node.js/Chrome)

No auth needed

Prerequisites: Vulnerable version of V8 (pre-patch for CVE-2018-17463) · Execution context in a browser or Node.js environment

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by kdmarti2 · client-side

https://github.com/kdmarti2/CVE-2018-17463

View Code ZIP pw:eip

This is a working exploit for CVE-2018-17463, a type confusion vulnerability in V8 JavaScript engine. It achieves arbitrary read/write and executes a shellcode payload to spawn a shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: V8 JavaScript Engine (Node.js/Chrome)

No auth needed

Prerequisites: Vulnerable version of V8 JavaScript engine

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC MANUAL

by saelo, timwr · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/chrome_object_create.rb

View Code ZIP pw:eip

This Metasploit module exploits a type confusion vulnerability in Google Chrome's JIT compiler (CVE-2018-17463) and optionally uses CVE-2019-1458 for sandbox escape on Windows 7. It achieves remote code execution by manipulating Object.create to confuse PropertyArray and NameDictionary types.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Google Chrome 67, 68, and 69

No auth needed

Prerequisites: Target must visit a malicious URL · Chrome must be launched with --no-sandbox for basic RCE · Vulnerable Windows 7 for sandbox escape

MITRE ATT&CK