Samsung Galaxy S25 ships browser vulnerable to RCE and XSS attacks

Researchers have demonstrated a remote code execution (RCE) exploit chain in Samsung Internet on the Galaxy S25, caused by the browser shipping an outdated version of Google’s V8 JavaScript engine.

The issue can ultimately be extended to universal cross-site scripting (UXSS), allowing attackers to inject malicious code across multiple websites.

The findings were published on April 1, 2026, by Hrvoje Mišetić, Jamie Hill-Daniel, and William Liu, working with the Crusaders of Rust Security Research Group. The team analyzed Samsung Internet on a Galaxy S25 by extracting its APK and inspecting its bundled native libraries, discovering that it used V8 version 13.6.233.10, which was already six months old at the time and affected by multiple publicly disclosed vulnerabilities.

Samsung Internet is a Chromium-based browser preinstalled on Samsung devices and widely used as the default mobile browser. Its security depends heavily on timely updates to V8, a component that receives frequent patches for critical vulnerabilities.

The researchers selected CVE-2025-10891, a flaw in V8’s Ignition bytecode interpreter, as their primary target. Ignition executes JavaScript by compiling it into bytecode before handing it off to more advanced compilers. The vulnerability stems from how exception handlers are stored: offsets are limited to 28 bits, and when large functions exceed that range, the value is truncated. This can redirect execution into unintended regions of bytecode, including the middle of other instructions.

By crafting oversized JavaScript functions, the researchers triggered this condition and gained partial control over execution flow. They refined this primitive using a technique dubbed “constant smuggling,” which allowed them to construct controlled bytecode sequences and expand their influence within the interpreter.

From there, they pivoted to invoking internal V8 runtime functions that are not normally accessible to web content. Their key target was DeserializeWasmModule, a function that loads serialized WebAssembly modules containing compiled machine code. By steering execution into a controlled call to this function, they achieved arbitrary native code execution inside the browser’s renderer process.

To make the exploit work on ARM-based Android devices, the team adapted their approach to generate serialized WebAssembly payloads directly on the target device, avoiding compatibility issues. This enabled the reliable execution of attacker-controlled shellcode on the Galaxy S25.

Building on the renderer compromise, the researchers demonstrated universal cross-site scripting (UXSS). Due to weaker site isolation on mobile Chromium, many unrelated websites share the same renderer process. By modifying an internal V8 function (Builtins_ConstructFunction), the exploit installs a hook that executes attacker-controlled JavaScript whenever pages are loaded, enabling cross-site data access and script injection across domains.

While this is not a zero-day vulnerability, as the exploit relies on CVE-2025-10891, which had already been publicly disclosed and patched upstream in V8 months earlier, the risk for Samsung Internet users remains because the vendor is shipping an outdated engine version that does not include those fixes.