The sandbox was never the hard part

CVE-2026-40369. CVSS v3 base 9.6. Chromium sandbox escape via Mojo IPC deserialisation flaw in the network service broker. Affects Chrome Stable prior to 128.0.6613.119, Edge prior to 128.0.2739.67, and downstream Electron builds shipping Chromium 128 below the patch boundary. Listed as exploited in the wild before the fix landed. The chain pairs with any renderer RCE primitive - V8 type confusion, WebAssembly OOB, Blink UAF - to convert renderer code execution into user-context execution on the host.

The bug is a twelve-byte field confusion in a Mojo message handler. Mojo is Chromium’s IPC layer. Every privileged service the renderer needs - network, storage, GPU, audio - sits behind a Mojo interface defined by a .mojom file. The renderer sends a serialised message. The browser-side handler deserialises it against the generated bindings, validates the structured fields, and dispatches to the implementation. The validation step is where the trust boundary sits. Anything reaching the implementation function is treated as structurally valid.

In 40369, a struct in the network service interface carries a variable-length header block followed by a fixed-size descriptor. The descriptor includes a length field, a flags field, and a handle index. The generated deserialiser validates the outer struct size and the offset table. It does not re-validate the descriptor’s internal length against the residual buffer once the header block has been consumed. A crafted message sets the header block length to a value that places the descriptor twelve bytes before the end of the validated buffer. The descriptor’s own length field then claims a payload that runs eight bytes past the buffer tail. The handler copies into a fixed browser-process stack slot using the attacker-controlled length. Twelve bytes of overflow. Enough to overwrite the saved return address slot on a Windows x64 build where the stack layout has been mapped.

The primitive is a stack write inside the browser process, gated by Mojo validation that misses the secondary length. CWE-122 in classification, though the surface is stack-adjacent in the affected build configuration because of how the handler’s local scratch buffer is allocated under -O2. The browser process runs with the user’s full token. No restricted token, no job object, no seccomp filter. Code execution there is code execution on the host.

Reach requires a Mojo endpoint the renderer can already speak to. The network service interface is brokered to every renderer by default. The malicious message is a single IPC call. No timing, no race. The renderer holds the pipe, builds the message in its own address space, and writes it. The browser deserialises and the overflow lands.

Reaching the renderer is the front half of the chain. Drive-by compromise via a malicious page maps to MITRE T1189. The renderer RCE primitive - historically V8 TurboFan type confusion in this cluster of bugs - maps to T1203. The Mojo-side escape then maps to T1068, exploitation for privilege escalation, because the boundary crossed is the sandbox-to-host trust boundary, not a kernel ring transition. The chain terminates with arbitrary code in the browser process. From there, T1059 follow-on execution is trivial. The browser process can spawn children, write to the user profile, read browser-stored credentials, and reach the network without going through any broker.

In-the-wild use was reported against journalists and a small set of policy researchers in the weeks before the patch. The delivery vector observed was a watering-hole compromise of a regional news outlet, with the exploit JavaScript loaded conditionally based on User-Agent and a TLS JA3 hint suggesting a Chromium stable build in the vulnerable range. The post-exploitation payload was a loader staging a known commodity backdoor variant. Attribution remains partial. The exploitation pattern - selective targeting, narrow delivery window, conditional payload - is consistent with an access broker selling to a state-aligned customer rather than mass criminal use.

In telemetry, the chain is partially visible and partially blind. The renderer RCE itself produces nothing useful. The renderer crashes that ordinarily precede successful exploitation are absent because the exploit is stable. The Mojo message that triggers the escape leaves no trace at the network layer - it is an in-process IPC call, not a syscall or a packet. The browser process compromise becomes observable only at the point execution diverges from normal browser behaviour. On Windows with Sysmon configured to community baseline, Event ID 1 fires when the browser process spawns a non-standard child. Event ID 10 captures the ProcessAccess if the payload reaches into LSASS or another protected process. Event ID 11 logs file writes outside the expected browser profile paths. Event ID 3 logs outbound connections that do not match the browser’s normal destinations. None of these fire on the escape itself. They fire on what the attacker does next.

This is the detection gap. The exploit succeeds in silence. The browser process is trusted by every endpoint product to do unusual things - it makes outbound TLS connections to arbitrary hosts, reads and writes files in the user profile, loads plugins, spawns helper processes. The behavioural baseline for chrome.exe and msedge.exe is wide enough to hide most post-exploitation activity in its lower percentiles. EDR alert categories tuned for malware behaviours often suppress findings inside browser process trees on the assumption that the noise floor is too high. That assumption is the blind spot.

Where detection holds is the second-stage divergence. A browser process loading an unsigned DLL via reflective injection - Sysmon Event ID 7 with a non-Microsoft, non-Google ImageLoaded path - is a high-signal indicator. A browser process opening a handle to lsass.exe with PROCESS_VM_READ - Event ID 10 with GrantedAccess 0x1010 or similar - is decisive. A browser process writing a scheduled task entry, a Run key, or a service registration - Event IDs 12, 13, 14 against HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKLM\System\CurrentControlSet\Services - is decisive. None of these require knowledge of 40369 specifically. They are post-exploitation invariants. Tuning EDR to alert on browser-process anomalies at this layer closes the gap that the in-renderer and in-IPC layers cannot.

Network-side, the renderer fetch that delivers the exploit is indistinguishable from any other JavaScript download on inspection. TLS-terminated egress is the only viewpoint that sees the payload, and even there the script obfuscation reduces signature value. The harder signal is the post-compromise C2. The observed campaign used domain-fronted HTTPS to a CDN edge with a backend that responded with structured beacon traffic on a ten-minute jitter. JA3/JA4 fingerprinting catches the beacon client if it is anything other than the host browser. If the implant is staged inside the browser process and reuses Chromium’s network stack, the JA3 collapses to the browser’s own and the network distinction is lost. That is the design goal of recent post-exploitation tooling and it works here.

The patch closes the descriptor validation by re-checking the inner length against the residual buffer after header consumption. The fix is small. It is also load-bearing. Pre-patch builds remain exploitable indefinitely against any renderer RCE primitive that lands in the same Mojo-accessible context. Chromium downstream consumers - Electron applications, embedded Chromium frames in third-party products, vendor-forked browsers - inherit the bug on their own update cycles. Electron in particular runs application code with greater trust than a web page and frequently exposes broader Mojo surface to the renderer through nodeIntegration or custom IPC wiring. An Electron app shipping Chromium 128.0.6613.118 or earlier carries the escape primitive into whatever desktop context the application owns. That context is often more privileged than the browser case.

Residual exposure after Chrome Stable updates is not zero. Enterprise deployments running staged rollouts hold vulnerable versions for days to weeks. Managed environments using extended-stable channels carry the bug longer. Embedded Chromium in CI runners, Electron desktop tooling, and kiosk systems updates on its own schedule and often does not. The patch boundary is published. The exploitation primitive is now known to the offensive research community. The exploitation window for the chain remains open against any host where the Chromium-derived process is below 128.0.6613.119 and renderer-reachable JavaScript can be served.