Race Against Time: Cracking V8's ReadableStream with SharedArrayBuffers
Jan 22, 2026·4 min read·5 visits
Executive Summary (TL;DR)
CVE-2025-8880 is a TOCTOU (Time-of-Check to Time-of-Use) race condition in Google Chrome's V8 engine. It occurs when `ReadableStream` consumers, specifically the WebAssembly streaming compiler, read data from a `SharedArrayBuffer`. Because the buffer is shared, a malicious worker thread can modify the memory *after* V8 validates it but *before* V8 compiles it. This allows attackers to bypass security checks, confuse the compiler, and potentially escape the V8 Sandbox to execute arbitrary code.
In the quest for blazing fast JavaScript execution, the V8 engine introduces a classic race condition. By feeding the WebAssembly streaming compiler a ReadableStream backed by a mutable SharedArrayBuffer, attackers can pull a 'bait-and-switch' on the engine—modifying bytecode between validation and compilation to achieve Remote Code Execution.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Google Chrome Google | < 139.0.7258.127 | 139.0.7258.127 |
Microsoft Edge Microsoft | < 139.0.2155 | 139.0.2155 |
| Attribute | Detail |
|---|---|
| CWE | CWE-362 (Race Condition) |
| CVSS v3.1 | 8.8 (High) |
| Attack Vector | Network (Drive-by Download) |
| EPSS Score | 0.00103 (Low/Early) |
| Exploit Status | PoC Available (Internal/Research) |
| Impact | Remote Code Execution (RCE) |