Patch Gap to Mobile Renderer RCE: Pwning Samsung Internet’s V8 on the Galaxy S25

Author: Hrvoje Mišetić, Jamie Hill-Daniel, William Liu (Otter Audits LLC / Crusaders of Rust Security Research Group)
Published: April 1, 2026
Source: https://osec.io/blog/2026-04-01-patch-gap-to-mobile-renderer-rce/

Summary

Researchers from Otter Audits LLC and the Crusaders of Rust Security Research Group demonstrated a full renderer remote code execution (RCE) exploit chain against Samsung Internet on the Galaxy S25. The attack exploited a significant patch gap: the browser shipped with V8 version 13.6.233.10, a build approximately six months out of date and carrying multiple known, publicly disclosed vulnerabilities. By chaining a bytecode interpreter flaw with a store-store elimination bug (CVE-2025-10891 and CVE-2025-5419), the researchers achieved arbitrary code execution within the renderer process and subsequently universal cross-site scripting (UXSS) against all non-isolated websites visible in the browser.

Technical Details

Samsung Internet’s bundled V8 JavaScript engine lagged significantly behind the upstream Chromium codebase, exposing the browser to n-day vulnerabilities that had already been silently patched in standard Chrome releases — a well-documented “patch gap” problem particularly prevalent in third-party browser vendors on Android.

The primary vulnerability, CVE-2025-10891, is a flaw in V8’s Ignition bytecode interpreter. Handler offset values for bytecode instructions are stored in 28-bit bitfields. When the total size of a function’s bytecode exceeds the 28-bit address space, handler offsets are silently truncated, causing the interpreter to jump to incorrect instruction addresses. The researchers exploited this by constructing oversized functions whose bytecode layout placed attacker-controlled data at the addresses the truncated offsets would resolve to.

The exploitation technique relied on constant smuggling: floating-point constants and arithmetic instructions were crafted such that their in-memory binary representation corresponded to valid ARM64 machine code sequences. By abusing V8’s feedback vector slots — used by the runtime for speculative optimization profiling of arithmetic operations — the researchers embedded shellcode payloads within otherwise legitimate-looking JavaScript values.

With instruction-level control established, the exploit hijacked the DeserializeWasmModule runtime function to load an arbitrary WebAssembly module containing malicious native code. Device-specific WasmModule serialization was leveraged to circumvent architecture-level restrictions. To achieve UXSS, the shellcode patched the Builtins_ConstructFunction entry point and called into V8’s DebugEvaluate::Global API, enabling arbitrary JavaScript execution across all pages sharing the renderer process. Android’s comparatively weak site isolation model — which only isolates sites requiring login or carrying a Cross-Origin-Opener-Policy header — significantly amplified the blast radius of this primitive.

Impact

A successful exploit grants an attacker remote code execution within Samsung Internet’s renderer process on Galaxy S25 devices. Because Android does not enforce per-site process isolation as broadly as desktop Chrome, the UXSS primitive allows the attacker to execute arbitrary JavaScript in the context of any non-isolated website the victim has open — enabling session hijacking, credential theft, and data exfiltration at scale. Affected product: Samsung Internet browser on Galaxy S25 running V8 version 13.6.233.10 or earlier unpatched builds. CVEs involved: CVE-2025-10891 (bytecode interpreter truncation) and CVE-2025-5419 (store-store elimination bug).

Mitigation

The underlying V8 vulnerabilities have been addressed in upstream Chromium. Specifically, the SerializeWasmModule and DeserializeWasmModule runtime functions have been removed from production V8 builds (see Chromium code review linked in references), eliminating the serialization primitive used in the exploit chain. Users should ensure Samsung Internet is updated to the latest available version. Samsung has not yet published a standalone security advisory as of the original publication date; users on unpatched Galaxy S25 devices should consider using an up-to-date Chromium-based browser until a patched Samsung Internet release is available. Enterprises should audit third-party browser deployments for V8 patch gap exposure as a general defensive posture.

References

• Patch Gap to Mobile Renderer RCE: Pwning Samsung Internet’s V8 on the Galaxy S25
• V8 Ignition Interpreter — v8.dev
• An Introduction to Speculative Optimization in V8 — Benedikt Meurer
• Google Chrome V8 CVE-2024-0517 Out-of-Bounds Write / Code Execution — Exodus Intel
• The Hole in the Sandbox: UXSS Research — Black Hat Asia 2024, Tencent Security
• One-Click Memory Corruption in Alibaba’s UC Browser: Exploiting Patch Gap V8 Vulnerabilities — InterruptLabs
• Chromium Site Isolation on Android — chromium.org
• Google CTF 2023: V8Box Sandbox Solution (Stack Pivot / ROP Reference) — GitHub
• Chromium Code Review: Removal of SerializeWasmModule / DeserializeWasmModule — Chromium Gerrit
• Google Issue Tracker: CVE-2025-10891 Details