V8 Resources

These are some resources I've gathered while trying to learn V8 internals (with a security focus), feel free to suggest a resource using a pull request.

Articles

• [2012/06/03] - Explaining JavaScript VMs in JavaScript - Inline Caches
• [2014/12/15] - Deoptimize me not, v8
• [2015/01/11] - What's up with monomorphism?
• [2015/10/08] - Sea of Nodes
• [2014/12/14] - Google Chrome Exploitation – A Case Study
• [2017/03/01] - V8: Behind the Scenes (February Edition feat. A tale of TurboFan)
• [2017/08/16] - Understanding V8’s Bytecode
• [2018/12/08] - All Functions are Closures: Discussing Scope and Closure in JS
• [2019/01/22] - Exploiting the Magellan bug on 64-bit Chrome Desktop
• [2019/04/29] - Don't Follow The Masses: Bug Hunting in JavaScript Engines
• [2019/05/09] - Circumventing Chrome's hardening of typer bugs
• [2019/07/04] - V8 Optimize: Reduce Node && Inline
• [2019/07/03] - V8 Optimize: FrameState
• [2019/08/06] - V8 function optimization
• [2019/08/28] - Notes about GraphReducer in V8
• [2019/08/28] - Redundancy Elimination Reducer in V8 and 34C3 CTF V9
• [2020/02/##] - Pointer Compression in V8
• [2020/08/27] - [V8 Deep Dives] Understanding Map Internals
• [2020/11/17] - Modern attacks on the Chrome browser : optimizations and deoptimizations
• [2021/01/12] - In-the-Wild Series: Chrome Infinity Bug
• [2021/04/21] - Exploit Development: Browser Exploitation on Windows - Understanding Use-After-Free Vulnerabilities
• [2021/04/02] - [V8 Deep Dives] Random Thoughts on Math.random()
• [2021/10/05] - Phrack: Exploiting Logic Bugs in JavaScript JIT Engines
• [2021/12/28] - V8 Heap pwn and /dev/memes - WebOS Root LPE
• [2022/01/23] - Fuzzing Chromes JavaScript Engine v8
• [2022/05/20] - Rooting Samsung Q60T Smart TV
• [2022/06/29] - The Chromium super (inline cache) type confusion
• [2022/07/28] - JavaScript Bytecode – v8 Ignition Instructions
• [2022/08/29] - Understand WebAssembly in One Article
• [2022/09/20] - From Leaking TheHole to Chrome Renderer RCE
• [2022/10/22] - Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals
• [2022/11/27] - Code Execution in Chromium’s V8 Heap Sandbox
• [2023/02/23] - Exploring Historical V8 Heap Sandbox Escapes I
• [2023/05/16] - Google Chrome V8 ArrayShift Race Condition Remote Code Execution
• [2023/10/17] - Getting RCE in Chrome with incomplete object initialization in the Maglev compiler
• [2023/11/16] - Deep JS. In memory of data and types
• [2023/12/11] - Safari, Hold Still for NaN Minutes!
• [2023/12/12] - Abusing Liftoff assembly and efficiently escaping from sbx
• [2024/01/09] - A Brief JavaScriptCore RCE Story
• [2024/01/25] - A Deep Dive into V8 Sandbox Escape Technique Used in In-The-Wild Exploit
• [2024/02/21] - Summary of WebAssembly Security Research
• [2024/05/##] - From the Vulnerability to the Victory: A Chrome Renderer 1-Day Exploit’s Journey to v8CTF Glory
• [2024/06/05] - An Introduction to Chrome Exploitation - Maglev Edition
• [2024/06/26] - Attack of the clones: Getting RCE in Chrome’s renderer with duplicate object properties
• [2024/08/13] - From object transition to RCE in the Chrome renderer
• [2024/08/19] - Phrack: Allocating new exploits
• [2024/09/05] - Miscellaneous Series 2 — A Script Kiddie Diary in v8 Exploit Research Part 1
• [2024/10/25] - A deep dive into Linux’s new mseal syscall
• [2024/11/03] - Mind the v8 patch gap: Electron's Context Isolation is insecure
• [2024/12/09] - Miscellaneous Series 3— A Script Kiddie Diary in v8 Exploit Research Part 2
• [2025/01/02] - Overview of WebAssembly Type Confusion in JavaScript Engines Exploitation
• [2025/01/20] - Miscellaneous Series 4— A Script Kiddie Diary in v8 Exploit Research Part 3
• [2025/02/01] - Overview of Map Exploitation in v8
• [2025/04/11] - Intro V8
• [2025/04/12] - Compiler Design 1
• [2025/04/12] - Compiler Design Principles in V8
• [2025/04/13] - Lexical Analysis
• [2025/04/14] - Parser Workflow
• [2025/07/18] - 101 Chrome Exploitation — Part 0: Preface
• [2025/08/22] - DEFCON is fun, finding a V8 bug is even more fun
• [2025/09/10] - Out-of-bound read in ANGLE CopyNativeVertexData from Compromised Renderer
• [2025/10/01] - 101 Chrome Exploitation — Part 1: Architecture
• [####/##/##] - V8 Overview

Official Docs/Blogs

• [2015/12/17] - There’s Math.random(), and then there’s Math.random()
• [2017/09/12] - Elements kinds in V8
• [2017/10/05] - Optimizing ES2015 proxies in V8
• [2017/11/16] - Taming architecture complexity in V8 — the CodeStubAssembler
• [2017/12/13] - JavaScript code coverage
• [2018/06/18] - JavaScript modules
• [2018/08/14] - Embedded builtins
• [2018/09/18] - Improving DataView performance in V8
• [2019/01/03] - Trash talk: the Orinoco garbage collector
• [2019/01/07] - Zero-cost async stack traces
• [2019/04/23] - A year with Spectre: a V8 perspective
• [2019/09/11] - Compressed pointers in V8
• [2020/03/30] - Pointer Compression in V8
• [2021/07/##] - V8 Sandbox
• [2022/02/##] - V8 Sandbox - Address Space
• [2022/02/##] - V8 Sandbox - Sandboxed Pointers
• [2022/07/##] - V8 Sandbox - External Pointer Sandboxing
• [2022/12/##] - V8 Sandbox - Code Pointer Sandboxing
• [2023/02/11] - Turboshaft Frontend - Preliminary Design Elements
• [2023/10/09] - Control-flow Integrity in V8
• [2023/10/##] - V8 Sandbox - Trusted Space
• [2023/10/03] - Turboshaft JS Inlining and In-place Mutations
• [2023/11/01] - A new way to bring garbage collected programming languages efficiently to WebAssembly
• [2023/11/27] - Maglev with the Reducer Framework (Preliminary Investigation)
• [2023/12/14] - V8 is Faster and Safer than Ever!
• [2024/01/##] - Const tracking lets
• [2024/02/##] - Maglev as a Frontend for Turboshaft
• [2024/02/##] - V8 Sandbox - Hardware Support
• [2024/04/04] - The V8 Sandbox
• [2024/07/##] - V8 Sandbox + Leaptiering
• [2025/03/25] - Land ahoy: leaving the Sea of Nodes
• [####/##/##] - Maps (Hidden Classes) in V8
• [####/##/##] - Stack trace API
• [####/##/##] - V8 Torque user manual
• [####/##/##] - V8 Torque builtins
• [####/##/##] - CodeStubAssembler builtins
• [####/##/##] - Built-in functions
• [####/##/##] - Investigating memory leaks
• [####/##/##] - The Rule Of 2
• [####/##/##] - CHECK(), DCHECK() and NOTREACHED()

CVEs Walkthrough

• [2021/06/09] - CVE-2021-30551: Chrome Type Confusion in V8
• [2021/08/16] - Exploiting CVE-2021-21225 and disabling W^X
• [2021/08/16] - A Bug's Life: CVE-2021-21225
• [2022/03/11] - Exploit Development: Browser Exploitation on Windows - CVE-2019-0567, A Microsoft Edge Type Confusion Vulnerability
• [2022/06/12] - Root Cause Analysis of CVE-2021-21224
• [2022/12/06] - TheHole New World - how a small leak will sink a great browser (CVE-2021-38003)
• [2024/01/19] - Google Chrome V8 CVE-2024-0517 Out-of-Bounds Write Code Execution
• [2024/02/24] - Analyzing the Google Chrome V8 CVE-2024-0517 Out-of-Bounds Code Execution Vulnerability
• [2024/05/02] - CVE-2024-2887: A Pwn2Own Winning Bug in Google Chrome
• [2024/05/19] - CVE-2024-4947: v8 incorrect AccessInfo for module namespace object causes Maglev type confusion
• [2024/08/14] - V8 CVE-2021-21224 Renderer RCE Root Cause Analysis
• [2024/08/14] - CVE-2024-0517 Chrome V8 Out of Bounds Write
• [2024/08/30] - CVE-2024-5274: A Minor Flaw in V8 Parser Leading to Catastrophes
• [2024/09/19] - Zooming in on CVE‑2024‑7965
• [2024/11/14] - Firefox Animation CVE-2024-9680
• [2024/12/12] - CVE-2024-12695 Incorrect implementation of the fast path in Object.assign() lead to memory corruption
• [2025/06/20] - CVE-2025-5959
• [2025/08/01] - CVE-2025-2135 Analysis
• [2025/08/##] - CVE-2025-5419
• [2025/08/##] - CVE-2025-6554
• [2025/10/05] - CVE-2025-6554: 3rd hole exploitation technique
• [2025/10/07] - CVE-2025-6554: The (rabbit) Hole
• [####/##/##] - CVE-2024-0517 (Out of Bounds Write in V8)

Presentations

• [2016/11/11] - Turbofan IR
• [2019/##/##] - Attacking Turbofan TyphoonCon 2019 - Seoul
• [2021/##/##] - CS 253: Web Security Browser architecture, Writing secure code
• [2022/11/11] - Time-Traveling JIT Bugs
• [2024/08/##] - Achilles' Heel of JS Engines: Exploiting Modern Browsers During WASM Execution
• [2024/08/##] - Super Hat Trick Exploit Chrome and Firefox Four Times
• [2024/11/##] - WebAssembly Is All You Need - Exploiting Chrome and the V8 Sandbox 10+ times with WASM
• [2024/12/04] - V8 WebAssemploit
• [2024/##/##] - Fuzzing for complex bugs across languages in JS Engines
• [2024/##/##] - Fake it till you make it: Bypassing V8 Sandbox by constructing a fake Isolate
• [####/##/##] - TurboFan JIT Design

Talks

• [2008/09/15] - V8: an open source JavaScript engine
• [2009/06/02] - Google I/O 2009 - V8: ..High Performance JavaScript Engine
• [2014/10/29] - Empire Node - Compiler are our friends - Fedor Indutny
• [2017/05/16] - Franziska Hinkelmann: JavaScript engines - how do they even? | JSConf EU
• [2017/05/18] - Marja Hölttä: Parsing JavaScript - better lazy than eager? | JSConf EU 2017
• [2018/04/26] - Fuzzing Javascript Engines for Fun and Pwnage - Areum Lee & Jeonghoon Shin
• [2018/06/14] - JavaScript Engines: The Good Parts™ - Mathias Bynens & Benedikt Meurer - JSConf EU 2018
• [2018/11/06] - Orinoco: The new V8 Garbage Collector Peter Marshall
• [2020/01/15] - Attacking Client-Side JIT Compilers
• [2020/02/11] - Tobias Tebbi: V8 Torque: A Typed Language to Implement JavaScript
• [2020/04/06] - Practical Exploitation of Math.random on V8
• [2020/12/01] - Chromium University
• [2021/01/16] - HackTheBox - Rope2
• [2022/11/17] - Breaking the Chrome Sandbox with Mojo
• [2023/05/30] - OffensiveCon23 - Samuel Groß & Carl Smith - Advancements in JavaScript Engine Fuzzing
• [2023/10/23] - #OBTS v6.0: "Safari, Hold Still for NaN Minutes!" - Javier Jimenez & Vignesh Rao
• [2024/06/04] - OffensiveCon24 - Samuel Groß - The V8 Heap Sandbox
• [2024/10/14] - BSides Oslo 2024 - Chrome Browser Exploitation: from zero to heap sandbox escape
• [2024/10/29] - Attacking V8, Ayman - BSides Canberra 2024
• [2024/11/01] - Introduction to JavaScript and V8 for Browser Exploitation
• [2024/08/31] - Off-By-One 2024 Day 1- Exploring WebKit’s Just In Time Compilation: Vignesh S Rao
• [2025/02/21] - Chrome Browser Exploitation: from zero to heap sandbox escape - Matteo Malvica - NDC Security 2025
• [2025/04/11] - WebAssembly Is All You Need:Exploiting Chrome and the V8 Sandbox 10+ times with WASM

CTFs Writeups

• [2019/01/02] - Exploiting Chrome V8: Krautflare (35C3 CTF 2018)
• [2019/01/02] - Exploiting the Math.expm1 typing bug in V8
• [2019/01/28] - Introduction to TurboFan
• [2019/12/13] - Exploiting v8: *CTF 2019 oob-v8
• [2020/09/28] - DownUnderCTF 2020: Is this pwn or web?
• [2021/04/06] - Turboflan PicoCTF 2021 Writeup (v8 + introductory turbofan pwnable)
• [2021/08/23] - corCTF 2021 - Outfoxed
• [2021/##/##] - HITCON CTF 2021: Hole
• [2022/02/06] - DiceCTF 2022 - memory hole
• [2022/02/06] - Dice CTF Memory Hole: Breaking V8 Heap Sandbox
• [2022/07/03] - Google CTF 2022 d8: From V8 Bytecode to Code Execution
• [2022/11/28] - HITCON CTF 2022 - Fourchain - Browser
• [2022/12/24] - KITCTFCTF 2022 V8 Heap Sandbox Escape
• [2023/08/##] - Google CTF 2023 - v8box
• [2023/12/07] - Start Your Engines - Capturing the First Flag in Google's New v8CTF
• [2023/12/30] - ASIS CTF Finals 2023: isWebP.js
• [2024/03/02] - v8 CTF out of bounds 2019: Installing v8 Part 1
• [2024/03/12] - v8 CTF out of bounds 2019 Part 2: What they don’t tell you about setting up your GDB.
• [2024/05/26] - Exploiting V8 at openECSC
• [2024/07/14] - Breaking V8 Sandbox with Trusted Pointer Table
• [2024/10/##] - openECSC 2024 - Final Round: Backfired
• [2024/12/24] - BackdoorCTF 2024 - V8Box
• [2024/##/##] - AliyunCTF 2024 - BadApple
• [2025/03/17] - UTCTF 2025 - E-Corp Part 2
• [2025/05/14] - DEF CON CTF Quals 2025 memorybank Write-Up: Investigating V8 Garbage Collector
• [2025/06/05] - Advanced CTF Challenge Write-up: "Chrome Sandbox Escape via V8 JIT Compiler Vulnerability"
• [2025/10/07] - Securinets Quals 2025: Sukunahikona
• [2025/10/11] - Securinets Quals 2025: Sukunahikona (another writeup)

Papers

• [2013/10/28] - An Intermediate Representation for Speculative Optimizations in a Dynamic Compiler
• [2014/06/12] - Allocation Folding Based on Dominance
• [2015/##/##] - The Security Architecture of the Chromium Browser
• [2020/05/21] - Repairing and Mechanising the JavaScript Relaxed Memory Model
• [2022/11/##] - DUMPLING: Fine-grained Differential JavaScript Engine Fuzzing
• [2024/02/19] - CovRL: Fuzzing JavaScript Engines with Coverage-Guided Reinforcement Learning for LLM-based Mutation
• [2024/08/##] - White Paper (Super Hat Trick: Exploit Chrome and Firefox Four Times)

More

• V8 Resources
• Understanding Chrome V8
• learning-v8
• v8-perf

P.S: Note that I don't support Google, nor do I condone Google’s support of Israel in its ethnic cleansing of Palestinian people. This is simply me researching an open-source project that is widely used in various applications.

P.S.S: The articles listed above are included solely for their technical content; the views, backgrounds, or actions of the authors do not reflect my endorsement.