This security flaw affects both Google Chrome and Microsoft Edge

News
By published

New zero-day vulnerability affects all Chromium-based browsers

Lock
(Image credit: Shutterstock)

A security researcher has published a proof-of-concept (PoC) exploit on Twitter for a recently discovered zero-day vulnerability in Google Chrome, Microsoft Edge and other Chromium-based browsers.

While this zero-day vulnerability has already been publicly disclosed, it has not yet been patched in the latest version of Chrome or Edge.

Security researcher Rajvardhan Agarwal created the PoC exploit for a remote code execution vulnerability for the V8 JavaScript engine found in Chromium-based browsers and published it in a tweet. Although the vulnerability has been fixed in the latest version of the V8 JavaScript engine, it's still unclear as to when Google will add it to Chrome.

The PoC HTML file created by Agarwal and its corresponding JavaScript file can be used to launch the calculator app on Windows 10 when loaded in a Chromium-based browser. However, the exploit is limited to running in the browser's sandbox which prevents remote code execution vulnerabilities from launching programs on a host computer.

Zero-day exploit

In order for Agarwal's exploit to work, it needs to be chained to another vulnerability that could allow it to get out of of the Chromium sandbox. To test the exploit, BleepingComputer launched both Chrome and Edge with the –no-sandbox flag enabled and from there, the news outlet was able to use the exploit to launch the calculator on a system running Windows 10.

Although releasing a zero-day exploit on Twitter is controversial on its own, some users on the social network took issue with the fact that Agarwal didn't credit Bruno Keith and Niklas Baumstark from Dataflow Security that first discovered the vulnerability. However, Agarwal claims that he wasn't aware that they had discovered the vulnerability when releasing his exploit.

Google is expected to release Chrome 90 to the Stable channel soon and we'll have to wait to see if the upcoming version of its browser includes a fix for this remote code execution vulnerability.

Via BleepingComputer

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
Avast cybersecurity
An unpatched Windows zero-day flaw has been exploited by 11 nation-state attackers
A finger touching the google chrome icon in the Windows 10 start menu
A new Chrome browser highjacking attack could affect billions of users - here's how to fight it
Representational image depecting cybersecurity protection
Hackers are breaking SonicWall products to target business networks
The best free firewall
Microsoft fixes Power Pages security flaw, tells users to be on their guard
An option to add Ambient Music buttons to the iOS 18.4 Control Center.
Apple fixes dangerous zero-day used in attacks against iPhones and iPads
Latest in Software & Services
TinEye website
I like this reverse image search service the most
A person in a wheelchair working at a computer.
Here’s a free way to find long lost relatives and friends
A white woman with long brown hair in a ponytail looks down at her computer in a distressed manner. She is holding her forehead with one hand and a credit card with the other
This people search finder covers all the bases, but it's not perfect
That's Them home page
Is That's Them worth it? My honest review
woman listening to computer
AWS vs Azure: choosing the right platform to maximize your company's investment
A person at a desktop computer working on spreadsheet tables.
Trello vs Jira: which project management solution is best for you?
Latest in News
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does
iPhone 13 mini
The iPhone mini won't be returning, according to rumors – and you think that's a mistake
More about software services
Page shows the getting started page on the Notability app.

I enjoyed testing this satisfying note-taking app, but its collaboration skills were weak
A person in a wheelchair working at a computer.

Here’s a free way to find long lost relatives and friends
Asus Ascent GX10 Rear

Asus's more affordable version of Nvidia's uber-popular Project Digits snapped at GTC 2025
See more latest
Most Popular
Asus Ascent GX10 Rear
Asus's more affordable version of Nvidia's uber-popular Project Digits snapped at GTC 2025
iPhone 13 mini
The iPhone mini won't be returning, according to rumors – and you think that's a mistake
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
The cast of Black Mirror season 7
Everything new on Netflix in April 2025 – including Black Mirror season 7 and Love on the Spectrum
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Businessman holding a magnifier and searching for a hacker within a business team.
Cloud streaming hoster StreamElements confirms data breach following attack