Type Confusion in Google Chrome V8 Turbofan
CVE-2020-6418 is a type confusion vulnerability in the V8 JavaScript engine used by Google Chrome, affecting versions prior to 80.0.3987.122. The flaw is in Turbofan, V8’s optimizing compiler, specifically in Map reliability analysis performed by InferMapsUnsafe in src/compiler/node-properties.cc. A JSCreate node was incorrectly modeled during effect-chain analysis as not invalidating Map reliability. As a result, Turbofan could incorrectly omit necessary Map checks after a side effect changed an object’s effective type information. A crafted JavaScript sequence, including use of Reflect.construct() with a Proxy argument that is reduced into a JSCreate node during optimization, can cause the compiler to retain stale type assumptions. This leads to type confusion between different array/object representations, enabling out-of-bounds memory access and heap corruption when optimized code operates on objects whose actual layout no longer matches the compiler’s assumptions. Google described the issue as allowing a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository contains a proof-of-concept (PoC) exploit for CVE-2020-6418, a type confusion vulnerability in the V8 JavaScript engine (used in Google Chrome). The repository consists of two files: a README.md with environment setup and references, and the main exploit script cve_2020_6418_exploit.js. The exploit script demonstrates how to achieve out-of-bounds (OOB) array access in V8, which is then leveraged to gain arbitrary read/write primitives. Using these primitives, the exploit locates a WebAssembly function's code address and injects native shellcode, ultimately achieving arbitrary code execution. The exploit is operational and demonstrates a full sandbox escape, but does not include a full browser sandbox escape (as noted in the README). No network or file endpoints are hardcoded in the exploit; it is a local, browser-based attack requiring the ability to execute JavaScript in a vulnerable V8 environment.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A newer Chromium vulnerability incorporated into the MOONSHINE exploit kit and used in the wild to compromise Android apps with embedded vulnerable Chrome or TBS engines.
A type confusion vulnerability in Google Chrome's V8 engine (Turbofan) caused by incorrect side-effect modeling of JSCreate, which can lead to out-of-bounds access, heap corruption, and exploitation.
A V8 JavaScript engine vulnerability involving a side-effect in the kJSCreate opcode, discussed in the context of regression tests and exploit development for n-day bugs.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.