Is the era of browser malware returning? Inside Chrome V8 zero‑day CVE‑2026‑5865

Vulnerability Overview

CVE Number: CVE-2026-5865

Vulnerability Type: Type Confusion

Affected Component: Google Chrome V8 JavaScript engine

Severity: High (CVSS ~8.8)

Affected Versions: Chrome versions below 147.0.7727.55 and other Chromium‑based browsers (Edge, Brave)

Technical Deep‑Dive

The core issue lies in V8's optimizing compilers—TurboFan and Maglev—mis‑handling JavaScript objects during JIT compilation. When the compiler predicts an object's structure based on prior executions, a crafted edge case forces it to treat a resource of one type as an incompatible type.

Trigger Mechanism: An attacker delivers a specially crafted HTML page with malicious JavaScript that coerces V8 into making an incorrect type assumption for a target object.

Type‑Confusion Logic: During JIT optimization, the compiler erroneously accesses memory belonging to a different type. For example, it may read an address intended for an "integer array" as if it were an "object pointer array".

Exploitation:

Arbitrary Read/Write: The type mismatch bypasses V8's safety checks, granting the attacker unrestricted read/write access to the renderer process memory.

Remote Code Execution (RCE): With memory control, the attacker can corrupt internal data structures or function pointers, enabling execution of arbitrary code inside the browser sandbox.

Fix Logic

Google reinforced TurboFan's constraint tracking in newer releases. The patch mandates a strict synchronization check before any operation involving a deprecated Map proceeds, ensuring the compiler validates object structures in real time and does not skip verification.

The vulnerability is notable for bypassing the previously trusted Map verification chain, which is why it is classified as a high‑severity zero‑day.

The author does not publish a PoC, noting the seriousness of the flaw and recommending waiting for the fix before further analysis. Monitoring indicates that wild exploitation attempts have already been observed.