V8 ACE Exploit 2026: How Glasswing Achieved Arbitrary Code Execution in Chrome
Anthropic's Claude Mythos scored 21 out of 41 V8 arbitrary code execution exploits on ExploitBench. Every other AI model scored zero. Here is what that means for your browser fleet.

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
When security researchers talk about browser vulnerabilities, they usually mean one of two things: a flaw in how the browser renders HTML and CSS, or a flaw in how the browser's JavaScript engine executes code. V8, Google's JavaScript engine used in Chrome and every other Chromium-based browser, is one of the most complex and performance-critical pieces of software in modern computing. It includes a multi-tier JIT compiler, a garbage collector, and a type system that makes assumptions about JavaScript object shapes for performance reasons. Those assumptions are precisely where arbitrary code execution vulnerabilities emerge. Project Glasswing's Claude Mythos AI demonstrated, on Anthropic's ExploitBench evaluation, that it could autonomously generate working V8 ACE exploits for 21 out of 41 evaluated scenarios. Every other AI model evaluated scored zero. V8 ACE is confirmed among the 9 Glasswing CVEs as of the July 5, 2026 progress report. This post explains what type confusion and JIT-based ACE means, how the ExploitBench result reframes the threat landscape, and what enterprise Chrome management teams must do in response.
What Is V8 Arbitrary Code Execution?
V8's JIT compiler (TurboFan) converts JavaScript bytecode into optimized native machine code based on observed runtime behavior. When V8 observes that a function consistently receives objects of the same shape (the same set of properties in the same order), it generates highly optimized native code that assumes that shape will continue. If the shape changes unexpectedly, V8 must deoptimize and fall back to the interpreter. Type confusion vulnerabilities exploit this optimization system. An attacker crafts JavaScript that initially presents V8 with a consistent object type, triggering JIT optimization, then violates the type assumption in a way that causes V8 to treat one type of object as a different type. The resulting native code reads or writes memory based on the wrong type's field offsets, allowing the attacker to read or write arbitrary memory locations in the renderer process's address space. From arbitrary memory read/write in a JIT-compiled process, a skilled attacker can locate and overwrite function pointers, construct return-oriented programming (ROP) chains, and redirect execution to shellcode. The V8 ACE vulnerability in the Glasswing CVE list follows this class of exploitation technique.
ExploitBench: 21/41 and What It Actually Means
Anthropic published its Exploit Evals benchmark report on May 22, 2026, introducing ExploitBench as a standardized evaluation framework for measuring autonomous exploitation capability. The V8 component of ExploitBench contains 41 challenge instances, each representing a real or realistic V8 vulnerability requiring a working exploit to solve. Claude Mythos solved 21 of them autonomously, producing code that successfully achieved arbitrary code execution in a controlled V8 environment. Every other AI model evaluated, including earlier Claude versions, GPT-class models, and open-source alternatives, scored zero. A score of zero does not mean those models are incapable of writing exploit-like code. It means they failed to produce code that actually achieved ACE in the test harness, the gap between writing code that looks like an exploit and writing code that reliably exploits a specific vulnerability in a specific runtime. The 21/41 result is significant not because it means Mythos can exploit every V8 vulnerability (it solved 51%), but because it establishes that the capability threshold for autonomous browser exploitation has been crossed by an AI system for the first time. The implication for defenders is that the resource advantage historically enjoyed by well-funded exploit developers is narrowing.
“No other model evaluated on ExploitBench scored above zero on V8 ACE. Mythos achieved 21 of 41, establishing a capability threshold that has not previously existed in AI-assisted offensive security.”
Anthropic Exploit Evals Benchmark Report, May 22, 2026
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
How Type Confusion Leads to ACE: A Practitioner Walkthrough
Consider a simplified attack pattern for a V8 type confusion exploit. An attacker writes a JavaScript function that creates an array and a typed array (Float64Array) and manipulates the garbage collector's behavior through carefully timed allocations. By triggering a JIT compilation of a function that operates on the array, then causing the function to receive an object of an unexpected type, the attacker can make V8's JIT-compiled code write to the wrong offset in memory. With enough control over the memory layout, they can corrupt the length field of the typed array, giving themselves an out-of-bounds read/write primitive. From there, they use standard V8 exploitation techniques (addrof/fakeobj primitives, ArrayBuffer corruption) to achieve arbitrary read/write in the process address space, locate the target function (typically a WASM-related function pointer), and overwrite it with shellcode. This sequence, which previously required months of specialized V8 internals knowledge to develop, is the kind of exploit chain that Mythos generates autonomously within the ExploitBench evaluation. The Glasswing V8 ACE CVE represents a specific instance of this class in a production Chrome codebase.
Attack Scenario: Drive-By, Watering Hole, and Malicious Ads
V8 ACE vulnerabilities are exploitable through any webpage that an unpatched browser visits. The attacker does not need the user to download a file, enter credentials, or interact with the page beyond loading it. Common delivery mechanisms include watering hole attacks (compromising a website that the target population frequently visits, such as an industry trade publication or vendor portal), malicious advertising (injecting exploit code through a compromised ad network that serves to legitimate publisher sites), and spear-phishing (sending a link to a crafted page that exploits V8 when loaded). The drive-by exploitation model makes V8 ACE particularly dangerous in enterprise environments where users regularly browse to external sites as part of their work. A single compromised advertising network or popular industry site can be used to deliver the exploit to thousands of employees across multiple organizations simultaneously.
Browser Isolation: What It Protects and Where It Falls Short
Chrome's multi-process architecture and sandbox model are genuine security improvements that significantly raise the cost of exploiting browser vulnerabilities. Each tab runs in a separate renderer process with limited OS privileges, enforced by a seccomp-bpf filter (Linux) or job object restrictions (Windows). A V8 ACE exploit executing in the renderer process cannot directly access the filesystem, spawn processes, or make network connections outside the browser's controlled channels. However, the sandbox has well-documented weaknesses. Sandbox escapes are a separate vulnerability class and remain actively researched by both offensive teams and defenders. The Glasswing CVE list includes a separate browser JIT vulnerability in addition to the V8 ACE, which may represent a multi-stage chain. Additionally, even a sandboxed renderer compromise allows session cookie extraction from in-memory browser state, access to in-page credentials and form data, JavaScript-level access to any data the tab can reach (including internal corporate web applications), and injection of content into the page visible to the user. Enterprise security teams should not treat the Chrome sandbox as a complete defense against V8 ACE exploitation.
Enterprise Chrome Management: Update Policies and Channel Pinning
Google Chrome is unique among major enterprise software in shipping security updates on a weekly cadence through the stable channel, often with minimal advance notice about specific CVE details. Chrome Browser Cloud Management (CBCM) allows enterprise administrators to manage the Chrome fleet through the Google Admin console, enforce minimum version thresholds, and monitor update compliance across managed devices. The most important policy settings for security teams are: AutoUpdateCheckPeriodMinutes (reduce to ensure frequent update checks), RelaunchNotification (set to REQUIRED_FORCE to ensure users apply updates that require a restart), and ChromeChannel (lock to Stable, never Extended Stable, which receives less frequent security updates). For organizations using Chromium-based browsers other than Google Chrome, ensure those products have a comparable update enforcement mechanism. Browser version compliance dashboards should be reviewed daily during active Glasswing disclosure periods.
Detection: EDR Telemetry for Browser Child Process Anomalies
V8 ACE exploitation in Chrome produces characteristic behavioral signals at the OS level. Endpoint detection and response (EDR) platforms should be configured to alert on the following patterns: unusual child processes spawned by chrome.exe or chrome (Linux) with a renderer process parent, specifically processes that are not themselves Chrome components; network connections initiated by a Chrome renderer subprocess to non-browser infrastructure; temporary files written to %APPDATA% or /tmp by Chrome renderer processes; and memory injection events where Chrome renderer processes allocate executable memory regions outside of V8's managed heap. These signals are not specific to this Glasswing CVE, but they represent the behavioral signatures of any successful V8 ACE exploitation and should be baseline detection capability in any enterprise EDR deployment.
Full Exploit Chain Details and Chrome Update Verification Toolkit
Anthropic's Glasswing disclosure package for the V8 ACE vulnerability includes the full technical exploit chain analysis, EDR detection rules tuned to the specific behavioral patterns observed during Mythos exploitation testing, Chrome version verification scripts for fleet-wide deployment, and a prioritized list of browser configurations that increase or decrease exploitability. These are available exclusively in the free Mythos Brief.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
A 21/41 score on ExploitBench, against a zero baseline for every other AI model, is not a benchmark curiosity. It is evidence that the capability threshold for autonomous browser exploitation has been crossed. The V8 ACE vulnerability in the Glasswing CVE list means that a drive-by browser compromise via a malicious webpage is within scope for a Glasswing-class attacker. Chrome auto-updates, but only if users restart their browsers to apply the update. Enterprise Chrome management requires active enforcement: update policies, restart deadlines, and compliance monitoring. Get the full exploit chain analysis, EDR detection rules, and Chrome hardening templates from the free Mythos Brief at decryptiondigest.com/mythos-brief.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is ExploitBench?
ExploitBench is Anthropic's internal evaluation framework for measuring an AI model's autonomous exploitation capability against a curated set of real-world vulnerability instances. The benchmark includes 41 V8 arbitrary code execution challenge instances, each representing a real or realistic V8 vulnerability scenario. A score of 21/41 means Claude Mythos autonomously generated working exploit code for 21 of those 41 scenarios without human assistance. The benchmark was introduced in Anthropic's Exploit Evals report published May 22, 2026. No other AI model evaluated on ExploitBench scored above zero, establishing a measurable capability gap between Mythos and all other current models.
Is Brave, Edge, or Opera also affected by V8 vulnerabilities?
Yes. Brave, Microsoft Edge, Opera, Samsung Internet, and most other modern browsers are built on the Chromium open-source project and share the V8 JavaScript engine. A V8 vulnerability affects all Chromium-based browsers, not just Google Chrome. Firefox uses its own JavaScript engine (SpiderMonkey) and is not affected by V8-specific vulnerabilities. Safari uses JavaScriptCore (Nitro). Enterprise teams managing a mixed browser fleet should ensure that all Chromium-based browsers are updated, not just Chrome.
Does Chrome's sandbox prevent ACE from having real impact?
Chrome's sandbox is a strong containment boundary that prevents a compromised renderer process from directly accessing the filesystem or network with user-level privileges. However, sandbox escapes are a separate vulnerability class, and V8 ACE is typically the first stage of a two-stage attack: ACE in the renderer process, followed by a sandbox escape to gain access to the broader system. The Glasswing CVE list also includes a separate browser JIT vulnerability, suggesting that Mythos is developing multi-stage exploit chains. ACE without sandbox escape still enables session cookie theft, credential harvesting from the browser process memory, and cryptomining within the compromised tab.
How quickly did Glasswing find V8 ACE vulnerabilities?
The Glasswing program ran its initial assessment in April 2026, published the Exploit Evals benchmark report on May 22, 2026, and documented V8 ACE among its 9 confirmed CVEs in the July 5, 2026 90-day progress report. The timeline from initial assessment to confirmed CVE was approximately 90 days. Traditional security research on V8 typically involves years of deep specialization in JavaScript engine internals. The ExploitBench result of 21/41 suggests Mythos achieved this at a level of capability that compresses what previously required highly specialized human expertise.
How do I verify my Chrome fleet is on the latest stable version?
In Google Workspace environments, Chrome Browser Cloud Management (CBCM) provides a centralized dashboard showing the Chrome version distribution across your managed fleet. You can set version pinning policies and enforce update deadlines. For unmanaged endpoints, Chrome updates silently in the background but requires a browser restart to apply. You can verify the installed version at chrome://settings/help. The Chrome Releases blog at chromereleases.googleblog.com publishes stable channel updates with version numbers and CVE patch counts, making it a reliable signal for when a security-relevant update has shipped.
What Chrome enterprise policies most effectively reduce V8 exploit risk beyond standard updates?
Beyond keeping Chrome current, three Chrome enterprise policies provide meaningful risk reduction for V8 ACE class vulnerabilities. First, enforce 'DefaultJavaScriptJitSetting' with a value of '2' (disable JIT) on high-risk endpoints such as privileged access workstations, executive endpoints, and systems that only browse internal applications -- this eliminates the JIT attack surface entirely at the cost of JavaScript performance degradation. Second, enable 'SitePerProcess' isolation to ensure every site origin runs in a separate renderer process, which reduces cross-site data leakage even if a renderer is compromised. Third, configure 'RelaunchNotification' to 'REQUIRED_FORCE' with a short 'RelaunchNotificationPeriod' so that updates requiring a browser restart are applied within hours rather than persisting for days on machines with long uptime. These policies are deployable via Group Policy Object on Windows, Chrome Enterprise Bundle on macOS, and CBCM policy for cloud-managed fleets.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
