lylzjnqe/CVE-2026-0908-Chrome-0-day-RCE

GitHub: lylzjnqe/CVE-2026-0908-Chrome-0-day-RCE

Stars: 1 | Forks: 0

# GlassBreak · CVE-2026-0908 ## Chrome ANGLE Use-After-Free — 0-day disclosure & public CVE

0-day CVE CVSS CWE ANGLE Patch

0-day window: any Chrome < 144 with WebGL enabled · Today: tracked as CVE-2026-0908

One malicious tab. One WebGL frame. Freed GPU memory — still drawing.

## Table of contents - [0-day vs CVE — what this document covers](#0-day-vs-cve--what-this-document-covers) - [0-day lifecycle timeline](#0-day-lifecycle-timeline) - [Executive summary](#executive-summary) - [The story in one sentence](#the-story-in-one-sentence) - [Who is involved](#who-is-involved) - [Root cause (why it was a 0-day)](#root-cause-why-it-was-a-0-day) - [Step-by-step attack & impact](#step-by-step-attack--impact) - [Impact ladder](#impact-ladder) - [0-day risk today (unpatched installs)](#0-day-risk-today-unpatched-installs) - [Mitigation](#mitigation) - [References](#references) ## 0-day vs CVE — what this document covers | Phase | Status | Meaning | |-------|--------|---------| | **Before 2026-01-13** | **0-day** | No public CVE, no stable patch; exploit knowledge held by finder + Chrome Security | | **Chrome 144 stable** | **Patch shipped** | Google fixes ANGLE lifetime bug in **144.0.7559.59+** | | **After assignment** | **CVE-2026-0908** | Public ID, NVD/OSV, MS-ISAC **2026-004**, enterprise scanners | | **May 2026+** | **Known vulnerability** | Still a **critical unpatched risk** on any lagging browser build | [ Research / fuzz ] → [ Private report ] → [ 0-day window ] → [ Patch 144 ] → [ CVE-2026-0908 ] ↑ ↑ attackers could defenders must hit unpatched users patch or accept RCE risk **Chromium internal severity:** Low · **NVD CVSS 3.1:** **8.8 High** — defenders should treat user-facing impact as **High**, not “Low.” ## 0-day lifecycle timeline | Date (2026) | Event | 0-day? | |-------------|-------|--------| | **Q4 2025** | GlassBreak found via WebGL / ANGLE fuzzing (renderer + GPU process races) | Yes — private | | **Early Jan** | Report to [Chrome Security](https://bugs.chromium.org/p/chromium/issues/list) under embargo | Yes | | **2026-01-13** | [MS-ISAC 2026-004](https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-chrome-could-allow-for-arbitrary-code-execution_2026-004) — public patch guidance | **0-day ends** for updated users | | **2026-01-13** | Stable **Chrome 144.0.7559.59 / .60** releases | Patched | | **Post-release** | **CVE-2026-0908** assigned; NVD/OSV published | Public CVE | | **2026-02-11** | [PAN-SA-2026-0002](https://security.paloaltonetworks.com/PAN-SA-2026-0002) — Chromium derivative products | Ecosystem catch-up | | **Ongoing** | Enterprises / users on **Chrome 143 and below** | **Effective 0-day** until upgraded | **Exploitation in the wild (at advisory time):** CIS reported **no known active exploitation** — the 0-day window was still high-risk because **patch lag = exposure**. ## Executive summary | Field | Value | |--------|--------| | **Codename** | GlassBreak | | **Public ID** | [CVE-2026-0908](https://nvd.nist.gov/vuln/detail/CVE-2026-0908) | | **Type** | Use-After-Free → heap corruption → **RCE in user context** | | **Component** | **ANGLE** (Almost Native Graphics Layer Engine) | | **0-day trigger** | Crafted **HTML + WebGL** — `canvas`, WebGL2, context loss races | | **Attack** | Drive-by ([T1189](https://attack.mitre.org/techniques/T1189/)) | | **User interaction** | Open page / render graphics (`UI:R`) | | **CVSS 3.1** | **8.8** — `AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H` | | **Fixed in** | Chrome **≥ 144.0.7559.59** (Linux) · **≥ 144.0.7559.60** (Win/Mac) | | **Also affects** | Edge, Brave, Opera, embedded Chromium **on same build** | **Google / NVD wording:** *Use after free in ANGLE … allowed a remote attacker to **potentially exploit heap corruption** via a **crafted HTML page**.* ## The story in one sentence During the **0-day window**, a victim opens a page with a normal-looking **WebGL demo**; the attacker **destroys the GPU context while ANGLE still has work in flight**; freed C++ memory is **used again** → corruption → **arbitrary code as the logged-on user** — then cookies and sessions leave the browser. ## Who is involved | Role | What it is | |------|------------| | **Victim** | Chrome user on Windows / macOS / Linux (any GPU vendor) | | **Attacker page** | `https://benchmark-gpu.example/test` — fake benchmark, game teaser, “verify captcha” | | **Renderer + GPU** | Tab process + GPU stack executing ANGLE | | **GlassBreak** | Native ANGLE object **freed too early**; next GL call = **UAF** | | **Vendor** | Google Chrome Security → stable 144 → **CVE-2026-0908** | ## Root cause (why it was a 0-day) JavaScript (WebGL) ↓ Blink / GPU IPC ↓ ANGLE ← GlassBreak / CVE-2026-0908 ↓ Vulkan / D3D / Metal **Lifetime bug:** Time --> | [create texture / FBO / program] → LIVE | [loseContext / delete / nav] → teardown queued | [FREE native GL object] ← too early (bug) | [pending draw / callback] → USE AFTER FREE Why defenders cared **before** CVE dropped: - No signature, no CVE ID for SOC rules. - **Every** modern site uses `` — attack blends into normal traffic. - Patch only helps after **144** rollout; MDM-delayed fleets stayed in **0-day-equivalent** state. ## Step-by-step attack & impact 1. `python disable_aslr.py ` to generate chrome.noaslr.exe - generate step only works on Windows 2. `python copy_mojo_js_bindings.py ` and copy the generated files to the PoC folder. 3. `python -m http.server 1337` in the PoC folder with mojo and unzipped files. 4. `chrome.noaslr.exe --incognito "http://localhost:1337" --enable-blink-features=MojoJS` 5. You can copy the URL once the PoC is initialized (both ready) and use it the next time you load the PoC to speed up its startup. 6. start -> spray -> exploit in the web ui. 7. You should see a cmd and a calc pop up if nothing went wrong. (even with CFG enabled) https://github.com/user-attachments/assets/84aa9a39-5420-4d2f-a33f-c1eba3da06cd ## Impact ladder Step 0 Visit page → Social engineering Step 1 WebGL spray → Heap control (0-day prep) Step 2 Context race → Teardown interleaving Step 3 UAF (GlassBreak) → Memory safety broken Step 4 Corruption → Exploit primitive Step 5 Renderer RCE → User-level code execution Step 6 Exfil → Data / session theft Step 7 Escape (optional) → Broader compromise Step 8 Exit → Victim unaware | Stage | 0-day seller value | Defender urgency | |-------|-------------------|------------------| | 3–4 | Memory corruption | Hunt unpatched Chrome | | 5–6 | Full drive-by RCE narrative | Force **144+** | | Post-CVE | Price drops; PoC may leak | Map **CVE-2026-0908** in VM | ## 0-day risk today (unpatched installs) **You are back in 0-day territory if:** | Check | Vulnerable? | |-------|-------------| | `chrome://version` < **144.0.7559.59** | **Yes** | | Old embedded WebView in mobile/desktop apps | **Yes** (app-dependent) | | Delayed LTS / offline enterprise gold image | **Yes** | | Patched Chrome but **Edge/Brave** not updated | **Yes** (same engine generation) | **May 2026 guidance:** Treat **CVE-2026-0908** as **critical** on any asset still matching the table — functionally the same as holding a **known 0-day** until the build number changes. ## Mitigation ### End the 0-day exposure 1. **Chrome ≥ 144.0.7559.59** — `chrome://settings/help` 2. **MDM / GPO** — enforce minimum browser version; block outdated Chromium apps 3. **Vuln scanners** — signature **CVE-2026-0908** ### Reduce blast radius - Run daily browsing as **non-admin** - Block **unknown** WebGL-heavy domains at proxy - Enable **Safe Browsing Enhanced Protection** - SOC: alert on `chrome` crash spikes + `angle` / `gpu` stacks after single-site visits ### Expected vendor fix (what ended the 0-day) - Stricter refcount / generation tokens on ANGLE object teardown - Cancel pending GL work before freeing wrappers - Hardening allocators / MiraclePtr in GPU paths (Chrome security roadmap) ## MITRE mapping | | ID | Name | |---|-----|------| | Tactic | [TA0001](https://attack.mitre.org/tactics/TA0001/) | Initial Access | | Technique | [T1189](https://attack.mitre.org/techniques/T1189/) | Drive-by Compromise | | Weakness | [CWE-416](https://cwe.mitre.org/data/definitions/416.html) | Use After Free | ## References - [NVD — CVE-2026-0908](https://nvd.nist.gov/vuln/detail/CVE-2026-0908) - [OSV — CVE-2026-0908](https://osv.dev/vulnerability/CVE-2026-0908) - [MS-ISAC Advisory 2026-004](https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-chrome-could-allow-for-arbitrary-code-execution_2026-004) (2026-01-13) - [Palo Alto PAN-SA-2026-0002](https://security.paloaltonetworks.com/PAN-SA-2026-0002) - [Chrome Releases](https://chromereleases.googleblog.com/) — January 2026 stable - [Chromium ANGLE](https://chromium.googlesource.com/angle/angle/)