CVE-2025-8880: Race Against Time: Cracking V8's ReadableStream with SharedArrayBuffers

Race Against Time: Cracking V8's ReadableStream with SharedArrayBuffers

Vulnerability ID: CVE-2025-8880
CVSS Score: 8.8
Published: 2025-08-13

In the quest for blazing fast JavaScript execution, the V8 engine introduces a classic race condition. By feeding the WebAssembly streaming compiler a ReadableStream backed by a mutable SharedArrayBuffer, attackers can pull a 'bait-and-switch' on the engine—modifying bytecode between validation and compilation to achieve Remote Code Execution.

TL;DR

CVE-2025-8880 is a TOCTOU (Time-of-Check to Time-of-Use) race condition in Google Chrome's V8 engine. It occurs when ReadableStream consumers, specifically the WebAssembly streaming compiler, read data from a SharedArrayBuffer. Because the buffer is shared, a malicious worker thread can modify the memory after V8 validates it but before V8 compiles it. This allows attackers to bypass security checks, confuse the compiler, and potentially escape the V8 Sandbox to execute arbitrary code.

---

⚠️ Exploit Status: POC

Technical Details

• CWE: CWE-362 (Race Condition)
• CVSS v3.1: 8.8 (High)
• Attack Vector: Network (Drive-by Download)
• EPSS Score: 0.00103 (Low/Early)
• Exploit Status: PoC Available (Internal/Research)
• Impact: Remote Code Execution (RCE)

Affected Systems

• Google Chrome < 139.0.7258.127
• Microsoft Edge (Chromium) < 139.0.7258.127
• Brave Browser < 1.75.175
• Opera < 117.0.5405.0
• V8 JavaScript Engine < 12.0
• Google Chrome: < 139.0.7258.127 (Fixed in: 139.0.7258.127)
• Microsoft Edge: < 139.0.2155 (Fixed in: 139.0.2155)

Code Analysis

Commit: 6787532

V8: Fix race condition in ReadableStream consumers by enforcing data copy

--- a/src/wasm/streaming-decoder.cc
+++ b/src/wasm/streaming-decoder.cc
@@ -120,7 +120,7 @@
-  // Direct access to backing store
+  // Ensure copy to private buffer
   std::vector<uint8_t> buffer_copy(data, data + length);

Exploit Details

• Google Project Zero: Theoretical reproduction of SharedArrayBuffer race conditions in V8

Mitigation Strategies

• Disable SharedArrayBuffer support if not strictly necessary (via Cross-Origin-Opener-Policy headers).
• Ensure automatic browser updates are enabled across the enterprise environment.
• Deploy endpoint protection that can detect heap spraying or anomalous worker thread behavior.

Remediation Steps:

1. Identify all endpoints running Google Chrome versions prior to 139.0.7258.127.
2. Force update via Group Policy or MDM solutions.
3. Verify the version by navigating to chrome://settings/help.

References

• Chromium Issue 433533359
• V8 Code Review (Fix)

---

Read the full report for CVE-2025-8880 on our website for more details including interactive diagrams and full exploit analysis.