Responding to an ITW Chrome Sandbox Escape (Twice!)

Chrome uses a multi-process architecture to separate web contents from the rest of your computer. Attackers need more than one bug to access your system. Many of these bugs are memory-safety issues but one day we will fix all of those, only logic bugs will remain. This talk is about a logic bug, and another logic bug, that allowed an attacker to escape the Chrome sandbox on Windows. We didn’t discover the bugs, but we did introduce them, then fix them. More importantly we followed up with additional analysis and hardening. The bugs are interesting (and we’ll talk about them!) but we’ll also talk about the process a team of defenders goes through when understanding problems, fixing immediate causes, then hardening the product. That process of learning from our mistakes is what produces the most security, and ultimately makes it safe for people to click on links.

Acknowledgements: Unknown Threat Actor, Kaspersky, Google TAG, Chrome Security, DuplicateHandle(), C++ Deets: CVE-2025-2783, CVE-2025-4609 , crbug.com/405143032, crbug.com/412578726