Use-after-free in Google Chrome CSSFontFeatureValuesMap

Repository is a standalone browser exploit demo for CVE-2026-2441, presented as a Chrome/Blink CSSFontFeatureValuesMap iterator invalidation use-after-free. Structure is centered around five meaningful files: README.md documents the claimed vulnerability and exploitation concept; poc.html contains the JavaScript/HTML proof-of-concept and phishing-style payload flow; victim.html simulates a logged-in banking session and launches the popup exploit; attacker_server.py is a threaded local HTTP server that serves all pages and receives exfiltrated data; attacker.html is an operator dashboard that displays stolen data live via SSE or polling; demo.sh automates launching the server and Chromium with permissive flags. Main exploit capability: poc.html attempts to trigger the UAF by mutating a CSSFontFeatureValuesMap during iteration using multiple methods described in the README (entries iterator mutation, for-of mutation, requestAnimationFrame/layout recalc). Beyond the crash trigger, the repository includes an operational demonstration payload: victim.html seeds cookies/localStorage/sessionStorage with fake banking session data, opens poc.html as a same-origin popup, and poc.html reads data from window.opener, captures phishing form inputs (name, email, password, card number, expiry, CVV, OTP), packages them with simulated heap leak/UAF status metadata, and exfiltrates them to the local server. Network behavior is entirely local by default: the Python server binds to 127.0.0.1:7777 and exposes /victim.html, /poc.html, /attacker.html, POST /collect, GET /events, and GET /data. attacker.html connects to /events using EventSource and falls back to polling /data every 3 seconds. The only external network reference in active page code is a Google Fonts import in attacker.html. This is not a framework module and not merely a detector. It is an operational demo/PoC that combines a browser memory-corruption trigger with simulated post-exploitation data theft and operator visibility. The included chrome-linux.zip is not a real browser binary; it contains an XML NoSuchKey error response, so it is not functional exploit content.

Repository contains a minimal, self-contained browser PoC for CVE-2026-2441 (Blink CSSFontFeatureValuesMap use-after-free) consisting of two files: (1) README.md documenting the vulnerability, affected Chrome/Chromium versions, root cause (iterator invalidation due to a raw pointer to a HashMap that can rehash on mutation), and expected crash behavior; and (2) poc.html, an HTML+JavaScript page that triggers the bug. Core exploit capability: the PoC obtains a CSSFontFeatureValuesRule via an @font-feature-values at-rule, accesses rule.styleset (CSSFontFeatureValuesMap), creates an iterator (map.entries() / for..of), then mutates the map during iteration using delete() and repeated set() calls to force HashMap rehashing. This invalidates the iterator’s backing storage in vulnerable Blink builds, producing a renderer-process UAF that typically manifests as a crash (SIGSEGV/STATUS_ACCESS_VIOLATION). The PoC also performs heap grooming by inserting many same-shaped @font-feature-values rules to allocate similar objects and increase determinism for research. Trigger methods implemented (per README and visible in poc.html): (a) entries() iterator with mutation loop, (b) for...of iteration with concurrent delete/set spraying, and (c) requestAnimationFrame loop that forces layout recalculation (offsetWidth) and continues iterator stepping while mutating the map. No network C2, exfiltration, or post-exploitation payload is present; the code is intended to demonstrate and reproduce the crash/UAF condition in vulnerable Chrome versions rather than deliver a full RCE chain.

Repository contains a minimal browser PoC for CVE-2026-2441 (Blink CSSFontFeatureValuesMap iterator invalidation leading to Use-After-Free). Structure: - README.md: only a title. - poc.html: full PoC page with embedded CSS/JS. Exploit purpose and flow (poc.html): 1) Defines an @font-feature-values rule with a @styleset block to ensure a CSSFontFeatureValuesRule exists. 2) Uses CSSOM to fetch the stylesheet rule (sheet.cssRules[0]) and obtains rule.styleset, a CSSFontFeatureValuesMap wrapper around an internal HashMap (FontFeatureAliases). 3) Performs heap grooming by dynamically inserting ~50 additional @font-feature-values rules to create similarly-sized allocations, increasing the chance that freed HashMap storage is reclaimed predictably. 4) Triggers the UAF by creating an iterator (map.entries()) and then mutating the map during iteration (map.delete(key) and many map.set(...) calls) to force HashMap rehashing. In the vulnerable implementation, the iteration source holds a raw pointer to the HashMap storage; rehash frees old storage, leaving a dangling pointer and invalid iterator, leading to a renderer crash when the iterator advances. 5) Includes additional trigger variants (a for...of loop over entries with mutation, and an async requestAnimationFrame loop that forces layout recalculation via document.body.offsetWidth before iterating/mutating) to increase reliability. Capabilities: - Primary: renderer-process crash/DoS via UAF trigger in Blink. - No networking, no external C2, no shellcode, and no post-exploitation actions are present. Fingerprintable endpoints/targets: - No URLs, IPs, domains, registry keys, or external resources. - Only local file entry point (poc.html) and references to Blink source path and CSSOM/CSS features used to reach the vulnerable code path. Overall, this is a standalone, client-side HTML/JS proof-of-concept intended to demonstrate and reproduce a Blink UAF crash condition in specific Chrome versions, not a weaponized exploit.

Repository contains a minimal browser PoC for CVE-2026-2441 (Chrome/Blink CSS Use-After-Free) with two files: README.md and index.html. - README.md: Describes the bug as a CSSFontFeatureValuesMap iterator invalidation UAF in Blink, claims impact up to renderer RCE inside the sandbox on Chrome <= 144.0.x, and instructs users to host index.html and visit it; an "Aw, Snap!" crash is presented as a vulnerability indicator. - index.html: Self-contained HTML/JS PoC that constructs @font-feature-values rules, obtains the CSSOM object (CSSFontFeatureValuesRule) and its styleset map (CSSFontFeatureValuesMap), performs heap grooming by inserting many similar rules, then triggers the UAF by iterating map.entries() while mutating the map with delete()/set() to induce HashMap rehash and iterator invalidation. It also includes an asynchronous trigger using requestAnimationFrame combined with forced layout recalculation via offsetWidth to repeatedly exercise the vulnerable code path. No network I/O, C2, or external resources are present; the only actionable “endpoints” are local file/DOM/CSS constructs. The code is best characterized as a crash/trigger PoC (POC maturity), not a complete weaponized RCE chain, despite the README’s high-level chain description.

Repository contains a single browser-based proof-of-concept for CVE-2026-2441 (Blink CSSFontFeatureValuesMap use-after-free) plus documentation. Structure: - README.md: Detailed vulnerability write-up (root cause, affected versions, fix description/commit hash, expected behavior), and explains three triggering strategies (entries() iterator + mutation, for...of + mutation, and requestAnimationFrame + layout recalc). Also includes impact discussion and references. - poc.html: Self-contained HTML/JS PoC that: 1) Creates/locates an @font-feature-values rule and obtains its CSSOM map via rule.styleset (CSSFontFeatureValuesMap). 2) Performs heap grooming by inserting ~50 additional @font-feature-values rules to allocate similarly-sized objects. 3) Triggers the bug by iterating (map.entries() / for...of) while mutating the same map (delete/set) with large numbers of insertions (e.g., 512 set() calls) to force HashMap rehash/reallocation, aiming to invalidate the iterator and cause a UAF. 4) Repeats the trigger in an async loop using requestAnimationFrame and forces layout recalculation via document.body.offsetWidth to exercise the CSS engine repeatedly. Capabilities: - Reliable crash-oriented UAF trigger in the Chrome renderer process on vulnerable versions. - Includes basic exploitation-adjacent techniques (allocation pressure/heap grooming) but no post-crash code execution payload, no network exfiltration, and no C2 endpoints. Overall purpose: - Demonstrate and validate the iterator invalidation UAF in Blink’s CSSFontFeatureValuesMap (CWE-416) and differentiate patched vs unpatched behavior by observing renderer stability/crash.