Lately, I decided (as an exercice) to exploit the vulnerability recently discovered by Big Sleep in chromium, labeled CVE-2025-10891 (Issue 443765373).
After about a ~=month, I was able to write a full RCE PoC, the gist is I have an arbitrary Ignition bytecode pc jump, to utilize it I have to run arbitrary bytecode, and to do so I recycled the idea of JIT Bytecode spraying, after that I mainly used the trick covered in this writeup to stack pivot and even before, leak heap obj address.
Since I did my PoC on MacOS, at least in my i9/M3 Pro machines it seems that the higher bit was always set (0x01…) -am not a xnu expert- so I hardcoded it, otherwise for linux (and others?) we can use the iframes trick to bruteforce the 8 bits (similar to what’s documented here), here is an exact quote from the aforementioned writeup:
Since we can’t directly leak 64-bit values, we also can’t just read a return address from the stack to figure out where in memory d8 is loaded. However the part of the address randomized by ASLR is mostly in the lower half so getting the lower 32 bits of a code pointer already gives us quite a lot of information. About 8 bits of the address are still unknown, so we can either brute force them or find some other way to leak the top bits.
Here is PoC clip:
Here is my CVE-2025-10891 Chromium RCE PoC:https://t.co/jqrevQ9Ca4 pic.twitter.com/NtAfSeQtFj
— m411k (@m411k_) March 1, 2026
The source code can be found here.