[RSS] SSD Advisory – Google Chrome RCE

https://ssd-disclosure.com/ssd-advisory-google-chrome-rce/

@buherator Extremely interesting to see a type confusion attack in the WASM interop boundary, this is a nice writeup!

WASM isorecursive canonical type id <-> wasm::HeapType / wasm::ValueType confusion in JS-to-WASM conversion functions and their wrappers (FromJS(), (Wasm)JSToWasmObject(), etc.), resulting in type confusion between arbitrary WASM types.