Out-of-bounds write in Skia in Google Chrome

This repository is a small, focused proof-of-concept for CVE-2026-3909 against Chromium/Chrome’s Skia-backed GPU text/raster pipeline. It is not a standalone exploit program or framework module; instead, it provides two patch files meant to be applied to a vulnerable Chromium source tree plus a minimal local HTML trigger page. Repository structure: - README.md: explains the vulnerability context, target Chromium revision, build arguments, patch locations, usage, and expected crash output. - raster_implementation.cc.patch: modifies Chromium GPU client code in RasterImplementation::UnmapRasterCHROMIUM. - SkChromeRemoteGlyphCache.cpp.patch: modifies Skia glyph cache handling in SkStrikeServer::writeStrikeData. - trigger.html: minimal page used to exercise the patched rendering path. Main exploit capability: - The PoC injects hardcoded malformed serialized rendering/glyph data into internal renderer-side buffers. - In SkChromeRemoteGlyphCache.cpp.patch, when running in a renderer process and the strike-data buffer is empty, the patch replaces it with a large attacker-controlled byte array. - In raster_implementation.cc.patch, when running in a renderer process, the patch overwrites the mapped raster buffer with crafted DrawSlugOp serialized data and tweaks format fields to create inconsistent state. - The intended effect is to drive Chromium/Skia into an invalid atlas plot lookup, producing an out-of-bounds access and abort in GrDrawOpAtlas::hasID(), evidenced by the README’s stack trace. Attack surface and delivery: - Primary vector is browser/file-based local content: the user opens trigger.html in the patched vulnerable browser. - There are no C2 endpoints, remote callback URLs, or exfiltration routines. - No shellcode, reverse shell, persistence, or post-exploitation logic is present. Assessment: - This is a real exploit PoC, but only for crash reproduction/bug triggering. - It is best classified as POC maturity because the payload is hardcoded and aimed at demonstrating the vulnerability rather than achieving arbitrary code execution.

This repository is a small Chromium browser proof-of-concept for CVE-2026-3909, not a standalone exploit framework. It contains four files: a README, two patch files against Chromium/Skia source, and a minimal trigger.html page. The exploit is designed to be applied to a vulnerable Chromium source tree and built locally, then triggered by opening the local HTML file. The core capability is crash triggering via malformed internal graphics/text serialization, not remote code execution. The raster_implementation.cc patch hooks RasterImplementation::UnmapRasterCHROMIUM and, when running in a renderer process, overwrites the mapped raster buffer with a hardcoded serialized DrawSlugOp blob. It also mutates selected fields to alter mask/pixel formats before copying the payload into the raster buffer. The SkChromeRemoteGlyphCache.cpp patch hooks SkStrikeServer::writeStrikeData and, if the process is a renderer and the original strike-data buffer is empty, replaces it with a large hardcoded byte array representing crafted strike/glyph data. Together these patches force Chromium/Skia to process inconsistent atlas/glyph state. The README documents the intended target version context (Chromium 146.0.7680.71), Linux x64 debug build arguments, usage steps, and the resulting abort stack trace. It also suggests optional debug instrumentation in DrawAtlas::hasID() to observe invalid plot indices and notes that on stable builds similar logic could be implemented via runtime hooks instead of source patches. There are no external C2, download, or network callback endpoints in the exploit logic. The only meaningful observables are local file paths, Chromium source paths, and the process-type switch value used to ensure execution in the renderer process. Overall, this is a browser/file-triggered PoC that demonstrates reliable denial-of-service/crash behavior in vulnerable Chromium/Skia rendering paths.