@cffsmith profile picture
Carl Smith @cffsmith

Security @Google; @FluxFingers/@Sauercl0ud; previously V8 Security, Intern {Project Zero, @XI_Research}. Personal account. rwx.page on Bluesky.

Joined May 2014
  • Tweets 316
  • Following 722
  • Followers 1,116
Photos and videos
Carl Smith retweeted
POC_Crew
@POC_Crew
Mar 3
#Zer0Con2026 - SPEAKER 🎃 Pumpkin Chang(@u1f383) from DEVCORE - “Modern Android Kernel Exploitation Through a Mali Driver Vulnerability” For more: zer0con.org
15
118
5,139
Carl Smith retweeted
POC_Crew
@POC_Crew
Mar 3
#Zer0Con2026 - SPEAKER 🌌 Brendon Tiszka from Google Project Zero - “Researcher’s Guide to the Galaxy: Digging into Samsung 0-click, Android Messengers, DNG, and other image formats” For more: zer0con.org
5
58
3,122
Carl Smith retweeted
Samuel Groß@5aelo
29 Oct 2025
We derestricted crbug.com/382005099 today which might just be my favorite bug of the last few years: bad interaction between WebAudio changing the CPU's handling of floats and V8 not expecting that. See crbug.com/382005099#comment1… for a PoC exploit. Also affected other browsers

4
48
246
22,566
Carl Smith retweeted
Samuel Groß@5aelo
25 Oct 2025
I'm pretty excited about this (POE2 in particular)! It's basically what we've been preparing for with the PKEY-based hardware sandboxing prototype for V8 (docs.google.com/document/d/1…)

V8 Sandbox - Hardware Sandbox v0.1

V8 Sandbox - Hardware Sandbox v0.1 Author: saelo@ First Published: May 2025 Last Updated: May 2025 Status: Draft Visibility: PUBLIC Tracking Bug: crbug.com/350324877 This document is part of the V8...

docs.google.com
Dmitry Vyukov@dvyukov
24 Oct 2025
More HW security goodness from Arm: community.arm.com/arm-commun… vMTE (Virtual Memory Tagging) allows to use MTE in a more flexible way, consuming less RAM. POE2 allows to build efficient in-process sandboxes and isolation. More-or-less improvement over x86 Memory Protection Keys.
9
60
13,520
Carl Smith retweeted
stephen@_tsuro
10 Aug 2025
If you like Chrome IPC shenanigans like this, you might also enjoy my talk from black hat 25: youtu.be/qhhJCLy0YBA?si=qLz2…

Breaking the Chrome Sandbox with Mojo

If you manage to exploit a Chrome renderer vulnerability, you find ...

youtube.com
xvonfers@xvonfers
9 Aug 2025
Whoah... $250000 (CVE-2025-4609, similar to CVE-2025-2783/412578726)[412578726][Mojo][IpczDriver]ipcz bug -> renderer duplicate browser process handle -> escape sbx is now open with PoC & exploit(success rate is nearly 70%-80%) issues.chromium.org/issues/4… issues.chromium.org/issues/4…
3
34
227
37,693
Carl Smith retweeted
Tim Willis@itswillis
8 Aug 2025
That time when @tehjh was just reviewing a new Linux kernel feature, found a security vuln, then went on a journey to see if he could exploit it from inside the Chrome Linux Desktop renderer sandbox (spoiler: very yes) googleprojectzero.blogspot.c…

From Chrome renderer code exec to kernel with MSG_OOB

IntroductionIn early June, I was reviewing a new Linux kernel feature when I learned about the MS...

projectzero.google
48
130
24,122
Carl Smith retweeted
Samuel Groß@5aelo
1 Aug 2025
We released our Fuzzilli-based V8 Sandbox fuzzer: github.com/googleprojectzero… It explores the heap to find interesting objects and corrupts them in a deterministic way using V8's memory corruption API. Happy fuzzing!

Add V8SandboxFuzzer · googleprojectzero/fuzzilli@675eccd

This is a basic fuzzer for the V8 Sandbox. It uses the memory corruption API to implement a random-but-deterministic (given a seed) traversal through the V8 heap object graph and corrupts some obje...

github.com
2
72
293
24,720
Carl Smith retweeted
Samuel Groß@5aelo
9 Jul 2025
If you have a machine with PKEY support and recent Linux kernel you can now play around with hardware support for the V8 sandbox. When active, JS Wasm code has no write permissions outside the sandbox address space. To enable, set `v8_enable_sandbox_hardware_support = true`.
3
17
77
11,514
Carl Smith retweeted
Samuel Groß@5aelo
3 Jun 2025
Replying to @mistymntncop
I've also updated our V8 Exploit Tracker sheet now: docs.google.com/document/d/1… (see the 2025 tab) :)

V8 Exploit Tracker

2026 # First Exploited V8 Bug Description Introduced V8 Sandbox Bug Description Introduced Requires optimizing JITs? Requires any JITs? Variant? 1 V8CTF 481074858 (Wasm) Integer truncation in...

docs.google.com
1
14
70
4,533
Carl Smith retweeted
Tim Willis@itswillis
16 Apr 2025
...and now, introducing Part 6 of @j00ru's work on the Windows Registry: googleprojectzero.blogspot.c… 📖👀

The Windows Registry Adventure #6: Kernel-mode objects

Posted by Mateusz Jurczyk, Google Project Zero Welcome back to the Windows Registry Adventure! ...

projectzero.google
Tim Willis@itswillis
19 Dec 2024
Part 5 of @j00ru's Windows Registry Adventure is out! googleprojectzero.blogspot.c… Incredible depth of knowledge on display, and good to see it shared as a reference with the world ❤️
1
21
68
10,101
Carl Smith retweeted
Ian Beer@i41nbeer
26 Mar 2025
My writeup of the 2023 NSO in-the-wild iOS zero-click BLASTDOOR webp exploit: Blasting Past Webp - googleprojectzero.blogspot.c…

Blasting Past Webp

An analysis of the NSO BLASTPASS iMessage exploit Posted by Ian Beer, Google Project Zero On Se...

projectzero.google
21
234
708
86,598
Carl Smith retweeted
stephen@_tsuro
25 Mar 2025
Senior Software Engineer, V8 Bug Detection: google.com/about/careers/app… Software Engineer II, V8 Bug Detection: google.com/about/careers/app…
6
21
3,808
Carl Smith retweeted
stephen@_tsuro
25 Mar 2025
V8 Security is hiring in Warsaw! If you want to work on improving our JavaScript and Wasm fuzzers, check out the links below!
2
26
88
22,634
Carl Smith retweeted
Ivan Fratric 💙💛@ifsecure
26 Feb 2025
I tweeted before about the Apple CoreAudio issues found by Google TAG. Well, the fuzz harness used to find these issues is now included in Jackalope examples, see github.com/googleprojectzero… . Happy fuzzing! :)

Ivan Fratric 💙💛@ifsecure
28 Jan 2025
The latest Apple security update contains fixes for three CoreAudio issues (CVE-2025-24160, CVE-2025-24161, CVE-2025-24163). These were found by Google Threat Analysis Group using Jackalope fuzzer.
2
39
182
30,285
Carl Smith retweeted
Mr. Anthony 安東尼
@darkfloyd1014
20 Feb 2025
Congratulations to Carl Smith from v8 Security team and join Blackhat USA review board as guest reviewer. He is willing to share, and an open-minded, hardcore researcher and developer. @cffsmith @BlackHatEvents
2
27
1,403
Carl Smith@cffsmith
4 Feb 2025
I’m very excited to announce that we at V8 Security have finally published our first version of Fuzzilli that understands Wasm! Go check it out at github.com/googleprojectzero…. While we still have a way to go in improving it, we think it shows a promising approach!

GitHub - googleprojectzero/fuzzilli: A JavaScript Engine Fuzzer

A JavaScript Engine Fuzzer. Contribute to googleprojectzero/fuzzilli development by creating an account on GitHub.

github.com
15
109
473
37,796
Carl Smith@cffsmith
4 Feb 2025
Some slides discussing some of this work can be found here: powerofcommunity.net/poc2024…

1
1
7
1,448
Carl Smith@cffsmith
4 Feb 2025
Make sure to update to the latest swift version too!
1
5
1,105
Carl Smith retweeted
Gmail
@gmail
16 Jan 2025
meow meow meow meow meow meowwww
cats with jobs 🛠
@CatWorkers
23 Oct 2024
What kind of email is she sending?
241
4,718
28,833
1,061,611
Carl Smith retweeted
sha1lan@sha1lan
28 Dec 2024
"Invariant inversion" in memory-unsafe languages pacibsp.github.io/2024/invar…

“Invariant inversion” in memory-unsafe languages

One way of seeing the difference between memory-safe and memory-unsafe languages is that in a memory-safe language, the invariants used to uphold memory safety only “lean on” invariants that are...

pacibsp.github.io
2
21
66
9,668
Load more