🐞Bug Spotlight: CVE-2025-10200 – Use-after-Free in Chrome Service Worker [bounty $43000]
One-shot renderer RCE to sandbox escape with a deep iterator invalidation
Issue: 🔒440454442 (currently private)
Reported by Looben Yang
Reverse engineering & PoC exploit by
@alisaesage
Our Browser Exploit Design course is massive on Use-after-free issues, and comprehensively covers Chrome system internals. It also has a practical walkthrough of a relevant bug in Chrome browser process attack surface, from patch to PoC exploit: https://zerodayengineering.com/training/browser-exploit-design.html
One-shot renderer RCE to sandbox escape with a deep iterator invalidation
Issue: 🔒440454442 (currently private)
Reported by Looben Yang
Reverse engineering & PoC exploit by
@alisaesage
Our Browser Exploit Design course is massive on Use-after-free issues, and comprehensively covers Chrome system internals. It also has a practical walkthrough of a relevant bug in Chrome browser process attack surface, from patch to PoC exploit: https://zerodayengineering.com/training/browser-exploit-design.html
👍6❤2
This media is not supported in your browser
VIEW IN TELEGRAM
Did you know? GDB has a built in graphic interface, called TUI.
Commands:
- Turn on:
- Cycle through layout options:
- Redirect target stdio/stderr to a log file to prevent curses UI breakage (or
(Showing @alisaesage's screen)
Our Zero Day Vulnerability Research course is full of deep insights useful for beginners that may surprise an experienced hacker: https://zerodayengineering.com/training/universal-vulnerability-research.html
Commands:
- Turn on:
tui enable- Cycle through layout options:
layout next- Redirect target stdio/stderr to a log file to prevent curses UI breakage (or
refresh)(Showing @alisaesage's screen)
Our Zero Day Vulnerability Research course is full of deep insights useful for beginners that may surprise an experienced hacker: https://zerodayengineering.com/training/universal-vulnerability-research.html
❤2
Hypervisor Vulnerability Research self-paced training: https://zerodayengineering.com/training/hypervisor-vulnerability-research.html
❤2🔥1
Google recently announced their new AI Vulnerability Research Program.
Rewards are medium in comparison to Chrome VRP, but overall solid, considering an easier entry and non-binary focus.
This is a good security bounty option for beginners.
Link: https://bughunters.google.com/blog/6116887259840512/announcing-google-s-new-ai-vulnerability-reward-program
AI VR is no different from any other target. Having the right mental model makes the shift between domains as easy as swapping syntax.
Our Zero Day Vulnerability Research course, while BinExp-first, solves this with future-proof, systematic core models.
More information: https://zerodayengineering.com/training/universal-vulnerability-research.html
Rewards are medium in comparison to Chrome VRP, but overall solid, considering an easier entry and non-binary focus.
This is a good security bounty option for beginners.
Link: https://bughunters.google.com/blog/6116887259840512/announcing-google-s-new-ai-vulnerability-reward-program
AI VR is no different from any other target. Having the right mental model makes the shift between domains as easy as swapping syntax.
Our Zero Day Vulnerability Research course, while BinExp-first, solves this with future-proof, systematic core models.
More information: https://zerodayengineering.com/training/universal-vulnerability-research.html
🤔1
"It’s a rare mix of structured thinking and hands-on exploration." – karan bamal, Security Research @ SentinelOne | GCPN | OSCP | ...
Hypervisor Vulnerability Research self-paced training: https://zerodayengineering.com/training/hypervisor-vulnerability-research.html
Hypervisor Vulnerability Research self-paced training: https://zerodayengineering.com/training/hypervisor-vulnerability-research.html
👍2
Winter Bundles are here ✨🎄✨
Bundles are one of our most requested features.
Today, we've put together our best self-paced trainings
to keep one's head cool through Christmas holidays
and well into 2026.
Limited availability through mid January
Details: https://zerodayengineering.com/winter-deals.html
Bundles are one of our most requested features.
Today, we've put together our best self-paced trainings
to keep one's head cool through Christmas holidays
and well into 2026.
Limited availability through mid January
Details: https://zerodayengineering.com/winter-deals.html
🔥2
"I’ve hit the limits of scattered free material and generic exploit-dev content. ...
What stood out about ZDE’s course is how targeted and dense it is around actual 0-day discovery methodology and building a repeatable workflow, which is exactly the gap I’m trying to close." – Michael I., Cyber Security Researcher
Zero Day Vulnerability Research course: https://zerodayengineering.com/training/universal-vulnerability-research.html
What stood out about ZDE’s course is how targeted and dense it is around actual 0-day discovery methodology and building a repeatable workflow, which is exactly the gap I’m trying to close." – Michael I., Cyber Security Researcher
Zero Day Vulnerability Research course: https://zerodayengineering.com/training/universal-vulnerability-research.html
❤1
⚡️ 0-Day Alert - Google Chrome exploit in the wild
Buffer overflow to sandbox escape in ANGLE component, potentially reachable directly through WebGL API (RCE)
Patched in Chrome Desktop 143.0.7499.109/.110 for Windows/Mac and 143.0.7499.109 for Linux
Chrome browser graphics internals & security were much requested and covered in our browser exploitation course: https://zerodayengineering.com/training/browser-exploit-design.html
Buffer overflow to sandbox escape in ANGLE component, potentially reachable directly through WebGL API (RCE)
Patched in Chrome Desktop 143.0.7499.109/.110 for Windows/Mac and 143.0.7499.109 for Linux
Chrome browser graphics internals & security were much requested and covered in our browser exploitation course: https://zerodayengineering.com/training/browser-exploit-design.html
🔥3🦄2
🚨0-Day Alert: Full-chain exploit for Apple Safari/WebKit in the wild (just patched)
CVE-2025-43529: UaF in JSC Escape Analysis (RCE)
CVE-2025-14174: Buffer Overflow in ANGLE (Sandbox Escape)
⚠️The sandbox escape bug is same as reported in Chrome last week: https://news.1rj.ru/str/zerodaytraining/175
CVE-2025-43529: UaF in JSC Escape Analysis (RCE)
CVE-2025-14174: Buffer Overflow in ANGLE (Sandbox Escape)
⚠️The sandbox escape bug is same as reported in Chrome last week: https://news.1rj.ru/str/zerodaytraining/175
🔥4
WebKit UAF (CVE-2025-43529)
JSC DFG JIT missed Phi-merged youngsters during Escape Analysis, thereby allowing to GC an object with a live reference.
To exploit: convert UAF to a type confusion, structure mismatch, ARW primitive (eg. synthetic butterfly pointer)
@alisaesage
JSC DFG JIT missed Phi-merged youngsters during Escape Analysis, thereby allowing to GC an object with a live reference.
To exploit: convert UAF to a type confusion, structure mismatch, ARW primitive (eg. synthetic butterfly pointer)
@alisaesage
🔥5
Apple recently bumped rewards for zero-days reported into their Security Bounty Program, with the biggest offer now at $2M.
New targets were added as well, including WebKit sandbox escape at $300K.
This is part of a solid industry-scale trend: tech giants are competing with black and gray markets to pay for top researchers' outputs.
Which also drives program conditions closer to real life – a much welcome dynamic!
New targets were added as well, including WebKit sandbox escape at $300K.
This is part of a solid industry-scale trend: tech giants are competing with black and gray markets to pay for top researchers' outputs.
Which also drives program conditions closer to real life – a much welcome dynamic!