Sabitlenmiş Tweet
A collection of my JavaScript engine vulnerability analyses. github.com/bjrjk/js-vuln-…
English
Jack Ren
51 posts
Jack Ren
@bjrjk
Pursuit for a broad horizon. | Opinions are my own.
Katılım Nisan 2013
309 Takip Edilen699 Takipçiler
Jack Ren retweetledi
Two new Chrome V8 CVEs assigned (CVE-2026-3542 and CVE-2026-3543) 🎯
Big thanks to @bjrjk for the help and guidance!
chromereleases.googleblog.com/2026/03/stable…
English
Jack Ren retweetledi
Bypass PAC in JIT - CVE-2024-27834
And I'm ready for my Spring Festival holiday 🥳
gist.github.com/WHW0x455/3c219…
English
A carefully structured, tiered root cause analysis for CVE-2025-43529 (JSC UAF). Spent quite some time refining the structure to make the reasoning explicit and readable. Shoutout to @jir4vv1t for his detailed analysis and exploit. github.com/bjrjk/CVE-2025…
English
Analysis Slides and Stablized Exploit for CVE-2025-5419, a V8 Uninitialized Read Vulnerability! Shoutout to @_clem1, @benoitsevens for finding the bug and @mistymntncop for providing a wonderfully crafted exploit. github.com/bjrjk/CVE-2025…
English
My friend @akln_Quincy's analysis slides for CVE-2025-6554. Thanks for @DarkNavyOrg and @mistymntncop's writeup for reference! Please check it out!
Quincy@akln_Quincy
Analysis of CVE-2025-6554: A type confusion vulnerability in V8! Constructed addrof/fakeobj, read/write primitives in V8 sandbox. Thanks to @DarkNavyOrg, @mistymntncop, @bjrjk for helping me with the exploitation. github.com/aklnjakln/CVE-…
English
Jack Ren retweetledi
Exploit and mini writeup for CVE-2025-5419.
github.com/mistymntncop/C…
English
Jack Ren retweetledi
This time is a real thrilling announcement as our paper about template-based fuzzing for JavaScript engine is accepted in OOPSLA24-25.
Thank you so much to every co-authors including Ken Wong, Dongwei Xiao, Dr. Daoyuan Wu Dr. Shuai Wang and Yiteng Peng.
What a good evening!
@wwkenwong @wangshuai901
English
Thanks to the reminder of @mistymntncop , I'm able to find an official writeup of Kaspersky and construct AddressOf / FakeObject primitives using their directives. The repository has been updated to include the codes and analysis.
English
Escalation methodology for CVE-2024-4947, a in-the-wild V8 type confusion bug. Shoutout to @vaber_b, @oct0xor, @buptsb, @mistymntncop, 303f06e3 and @DimitriFourny for their great research for this bug! github.com/bjrjk/CVE-2024…
English
English
@bjrjk @vaber_b @oct0xor @buptsb @DimitriFourny The commit that hints at how to exploit CVE-2024-12695. github.com/v8/v8/commit/6…
English
Jack Ren retweetledi
My writeup for CVE-2024-7971. Just a POC. Let me know if u have any questions.
github.com/mistymntncop/C…
English
TF is too mature for bug hunting, so we introduced a new surface for u guys.
Leszek Swirski@leszekswirski
V8 is leaving the Sea-of-Nodes Turbofan compiler for the shores of CFG, read all about it in my colleague's blog post: v8.dev/blog/leaving-t…
English
@eternalsakura13 @xvonfers Maybe they want to introduce more attack vectors into V8 🤣
English
Turbolev(Turboshaft with Maglev as a frontend(faster & simpler arch)) is a new attack surfaces
Flags: "--turboshaft" & "--turbolev"
Discrepancies between the two IR frameworks might lead to...
chromium-review.googlesource.com/q/hashtag:%22t…
chromium-review.googlesource.com/q/project:v8/v…
xvonfers@xvonfers
Maglev as a Frontend for Turboshaft docs.google.com/document/d/1Ba… Turboshaft Frontend - Preliminary Design Elements #heading=h.blf7hk3dfqsq" target="_blank" rel="nofollow noopener">docs.google.com/document/d/1vL…
Turboshaft JS Inlining and In-place Mutations #heading=h.awqb85skrfrf" target="_blank" rel="nofollow noopener">docs.google.com/document/d/1_L… Maglev with the Reducer Framework docs.google.com/document/d/1i1… English
Analysis and Exploit for CVE-2024-8381, a SpiderMonkey Interpreter Type Confusion Bug! Unfortunately, due to nature of this bug, exploit is only applicable when ASLR is disabled. Shoutout to @__nils_ for finding this bug. github.com/bjrjk/CVE-2024…
English
@mistymntncop @__nils_ Unfortunately, I'm only able to exploit without ASLR. Hope even in that case, it will help you😄
English
@darkfloyd1014 @cffsmith It seems that the ticket system has been closed. People who want to join in cannot buy ticket now. 🤣
English
My great pleasure as @cffsmith have shared in VXCON and guided us a lot. Welcome to Hong Kong, probably we will have deep sharing. Please join us at vxcon.hk
VXCON@vxresearch
We feel really honourable to have Carl Smith from Google v8 to present in #VXCON Talk Title: Fuzzing for complex bugs across languages in JavaScript Engines Abstract: The fuzzing of Wasm is not a new concept. Since Wasm is a binary format, it's relatively easy to employ a modern binary fuzzer like AFL++ to create modules and subsequently invoke them. However, this approach has limitations. Wasm modules can be utilized in more intricate contexts within web applications, typically collaborating with JavaScript code to accomplish more complex tasks. Linking and combining modules is possible, but it often requires the developer or fuzzer to possess in-depth knowledge of the modules involved. To address this challenge, we extended Fuzzilli's intermediate language to include instructions that describe Wasm modules. This allows us to comprehensively track and infer the module and its associated data. By doing so, we open up new possibilities for fuzzing. It becomes feasible to combine JavaScript and Wasm code within a single fuzz test case, enabling cross-language type tracking and inference. These test cases exhibit more intricate behavior and, when combined with Fuzzilli's templating capabilities, facilitate the generation of complex and compelling test cases. We will look at some advanced browser fuzzing and some of the exciting test cases and bugs this has found in V8. @cffsmith
English