23 Chrome Exploit PoCs on an Open AWS EC2 Directory: Inside an Active CVE-2026-4440 WebGL Exploit Development Toolkit

PublishedApril 22, 2026

23 Chrome Exploit PoCs on an Open AWS EC2 Directory: Inside an Active CVE-2026-4440 WebGL Exploit Development Toolkit

With thanks to @1ZRR4H for the original tip on April 13, 2026 that pointed at this open AWS EC2 directory. Any mistakes below are ours. If you have prior reporting on this infrastructure, the operator, or any of the specific exploit chains documented here, please reach out and we will update this post and credit the earlier source.

Editorial note: an earlier version of this post was briefly taken down on April 19–20, 2026, while we revised some attribution language. The technical content in this version is unchanged; the operator-characterization sections have been softened to describe what the evidence shows rather than speculate about the operator's intent or customer base.

TL;DR

An open directory on 100.48.195[.]190:80 (AWS EC2 us-east-1, reverse DNS ec2-100-48-195-190.compute-1.amazonaws.com) exposed 23 files totaling a working Chrome WebGL exploit development toolkit: 19 HTML PoC files targeting CVE-2026-4440 and adjacent WebGL/ANGLE vulnerabilities, plus three Python http.server instances serving those PoCs and collecting POST /report callbacks from victim browsers. The server was running Python SimpleHTTP/0.6 on Python 3.10.12 with wildcard CORS and no authentication.

The primary target, CVE-2026-4440, is a 32-bit integer overflow in Chrome's ANGLE Vulkan backend — texStorage3D() with a 4096×4096 RGBA8 texture array of 64+ layers computes a size that wraps to zero, and downstream buffer copies read from or write past the allocation. The vulnerability was patched in Chrome 146.0.7680.153/154 across Windows, macOS, and Linux before this post, so update posture is the primary defensive control here.

What the toolkit shows is an operator building a multi-stage chain: a renderer-process PassAsSpan use-after-free for initial read/write + ASLR bypass, the CVE-2026-4440 GPU-process cross-process information disclosure, a MapBufferRange FencedAllocator UAF for additional primitives, and a separate index-buffer OOB in ANGLE's convertIndexBufferGPU() targeting Adreno 400/500 hardware. Stage 2 (V8/JIT) and Stage 3 (OS privilege escalation) were not present in the captured directory.

We are not naming an operator. The evidence describes a working development environment; it does not identify a vendor, broker, or customer. Defenders should treat the content as a capability-level threat map against unpatched Chrome 146.x (Android in particular — Pixel 2 with Adreno 540 and Pixel 4 with Adreno 640 were the specifically-tuned targets) and update accordingly.

What This Report Adds to the Public Record

The IP 100.48.195[.]190 as the hosting location for a working CVE-2026-4440 exploit development toolkit, with 23 file hashes (SHA-256) published below for blocklist and retrohunt use.
The specific integer-overflow trigger condition in texStorage3D() — 4096×4096 RGBA8 × 64+ layers — that forces the size calculation to wrap to zero in the ANGLE Vulkan backend.
Identification of six distinct exploitation paths within CVE-2026-4440 (baseline PoC, Pixel 4 targeted, differential-layer analysis at 32/64/65, heap-overflow escalation at 65–68 layers with six trigger variants, cubemap + ETC2/ASTC + RGBA32F alternative overflow, and format-conversion path via TextureVk.cpp).
Detection patterns for the toolkit's C2 callback (POST /report with JSON "test": field), the CVE-2026-4440 trigger at the WebGL API level (texStorage3D with depth ≥ 64 on RGBA8 4096×4096), and the PassAsSpan UAF pattern (srcOffset.valueOf() + buffer.transfer(0)).

This report does not attempt attribution. We do not know who operates the server, what their relationship is with CVE-2026-4440's disclosure timeline, or whether the toolkit has been shared, sold, or used operationally. The findings are a capability-level description of what was on the open directory.

Infrastructure

Attribute	Value
IP address	`100.48.195[.]190`
Reverse DNS	`ec2-100-48-195-190[.]compute-1[.]amazonaws[.]com`
Provider	Amazon Web Services (AMAZO-4, `NET-100-48-0-0-1`)
Region	`us-east-1` (inferred from EC2 naming convention)
NetRange	`100.48.0[.]0/12`
Exposed ports	80/tcp (HTTP)
Server banner	`SimpleHTTP/0.6 Python/3.10.12`
Service	Python `http.server` open directory
HTTPS	Not available (443 refused)
CORS	`Access-Control-Allow-Origin: *`

The server is a Python 3.10.12 http.server instance exposing a browse-able open directory on port 80, with no authentication. Wildcard CORS means every PoC file accepts cross-origin interaction from any domain the operator or a victim would load.

CVE-2026-4440 — Root Cause

CVE-2026-4440 is a Chrome WebGL out-of-bounds read/write via an integer overflow in ANGLE's Vulkan-backend texture buffer size calculations.

The trigger is a texStorage3D() call allocating a texture array large enough that the 32-bit size calculation wraps. With 4096 × 4096 RGBA8 × 64 layers, the computed size is 4096 · 4096 · 4 · 64 = 2^32 bytes, which overflows to 0 in the 32-bit accumulator. The downstream copyImageDataToBuffer() path in vk_helpers.cpp and the format-conversion path around TextureVk.cpp:3176 then operate on a buffer whose reported size is zero but whose underlying memory arrangement is not.

Affected code paths:

vk_helpers.cpp → copyImageDataToBuffer() — staging buffer overflow
TextureVk.cpp (≈ line 3176) — format-conversion buffer size calculation

Affected Chrome versions: < 146.0.7680.153.

Patched in Chrome 146.0.7680.153 (Windows, macOS, Linux) and 146.0.7680.154 (Windows, macOS). Current stable Chrome at the time of publication is past the patched build on all three platforms.

The Toolkit — 19 PoC Files and 3 Python Servers

CVE-2026-4440 exploitation files

File	Size (bytes)	SHA-256 (truncated)	Observed purpose
`cve_2026_4440_poc.html`	17,008	`fed824ec…`	Baseline PoC, dual overflow path testing
`cve_2026_4440_targeted_poc.html`	10,765	`afe0a661…`	Pixel 4 / Adreno 640 specific
`cve_2026_4440_comparison_poc.html`	6,823	`021c7f6d…`	Differential analysis across 32 / 64 / 65 layer counts
`cve_4440_65layer_heap_overflow.html`	12,015	`28876935…`	Heap-overflow escalation, 65–68 layers, six trigger variants
`cve_4440_cubemap_and_compressed.html`	14,784	`692f2629…`	Alternative overflow via cubemaps, ETC2/ASTC, RGBA32F
`cve_4440_format_conversion.html`	9,001	`cc8d7d58…`	`TextureVk.cpp` format-conversion path
`gpu_limits_probe.html`	6,501	`2e05f417…`	Overflow boundary dimension analysis

Multi-vulnerability chain

File	Size (bytes)	SHA-256	Observed purpose
`stage1_combined_demo.html`	21,180	`ff9ca959…`	Chained PassAsSpan UAF + info disclosure + CVE-2026-4440

MapBufferRange exploitation

File	Size (bytes)	SHA-256	Observed purpose
`poc_mapbufferrange_overlap_exploit.html`	26,269	`019245f4…`	FencedAllocator UAF via overlapping allocations
`poc_mapbufferrange_toctou.html`	31,134	`8e2475d2…`	TOCTOU race on real GPU hardware
`poc_mapbufferrange_crash_test.html`	5,047	`90567738…`	Minimal crash trigger

Index-buffer OOB (ANGLE)

File	Size (bytes)	SHA-256	Observed purpose
`poc_index_buffer_oob.html`	16,344	`93cb9562…`	`convertIndexBufferGPU()` OOB R/W
`index_buffer_oob_pixel2.html`	12,387	`2c0def09…`	Pixel 2 / Adreno 540 specific
`poc_vpx_bucket_gaps.html`	8,309	`f90cd968…`	VP9 partition isolation bypass research

Reconnaissance / fingerprinting

File	Size (bytes)	SHA-256	Observed purpose
`gpu_info.html`	3,011	`75a4de9e…`	GPU capability enumeration
`pixel4_crash_diagnostic.html`	5,748	`4c6d562a…`	Pixel 4 stability baseline
`jspi_probe.html`	8,609	`452d4f3b…`	JSPI / WASM feature detection
`jspi_functional_test.html`	8,447	`016b89b3…`	JSPI stack-switching functional test
`jspi_test_v2.html`	6,660	`a41ab944…`	Enhanced JSPI with programmatic WASM building

Server infrastructure

File	Size (bytes)	SHA-256	Observed purpose
`server.py`	2,099	`85bfcc2e…`	Primary HTTP server (port 80), serves PoCs + collects results
`server_threaded.py`	2,156	`d1392d08…`	Threaded variant
`result_server.py`	2,315	`586e6c9d…`	Result-aggregation server (port 8080)

Attack Chain as Observed

STAGE 0 — Reconnaissance
  gpu_info.html            GPU renderer/vendor fingerprint
  gpu_limits_probe.html    overflow boundary analysis
  pixel4_crash_diagnostic  hardware stability baseline
  jspi_probe.html          sandbox-escape feasibility

STAGE 1a — Renderer process (PassAsSpan UAF)
  stage1_combined_demo.html
    uniform1fv() UAF via srcOffset.valueOf()
    heap spray with controlled allocations
    write primitive: uniform value injection
    read primitive: freelist pointer leak
    ASLR bypass via PartitionAlloc metadata

STAGE 1b — GPU process (CVE-2026-4440)
  cve_2026_4440_*.html and cve_4440_*.html
    texStorage3D integer overflow (64+ layers)
    heap overflow in the GPU process
    cross-process information disclosure
    GPU memory leak (extension strings, buffer data)

STAGE 1c — Supplementary primitives
  poc_mapbufferrange_*.html
    FencedAllocator UAF, overlapping allocations
    TOCTOU race against the real GPU
  poc_index_buffer_oob.html + index_buffer_oob_pixel2.html
    convertIndexBufferGPU() OOB up to ~8 MB
    Adreno 400/500-series specific

STAGE 2 — Not present in captured directory
  Expected: V8 JIT / sandbox escape (JSPI research suggests direction)

STAGE 3 — Not present in captured directory
  Expected: OS privilege escalation

Exfiltration
  All stages POST /report → server.py / result_server.py
  Fields: test, timestamp, userAgent, renderer, vendor, results

Stages 2 and 3 were not present on the server at the time of the capture. The jspi_*.html files are functional probes, not working exploits.

Devices Specifically Tuned For

Device	GPU	Mechanisms tuned for this hardware
Google Pixel 4	Adreno 640	CVE-2026-4440 primary, MapBufferRange UAF
Google Pixel 2	Adreno 540	Index-buffer OOB, CVE-2026-4440
ARM64 Android (general)	Adreno / Mali	All WebGL exploits
Desktop (secondary)	Various	CVE-2026-4440 (format-dependent)

The Pixel-specific tuning is the strongest signal in the dataset. Hardware-tailored heap spray parameters, renderer-string-specific branches, and distinct files named for Pixel 2 vs Pixel 4 all point at an operator who runs the PoCs against real devices rather than emulators.

Operator Context

The code is methodical, well-commented, and iterative — multiple named variants of the same CVE trigger (65-layer, 66-layer, 68-layer; cubemap path; format-conversion path) indicate active R&D rather than a polished weaponized delivery. There is no obfuscation, no anti-analysis, no HTTPS, no authentication on the open directory, and no attempt to hide the files. The Stage 2 and Stage 3 components are absent.

Taken together, those signals describe a development environment rather than a deployed attack platform. Beyond that, we do not speculate. We do not name an operator, a nationality, a customer base, or an intent category. The data was on an open AWS EC2 instance. Who the operator is, whether they are a bug-bounty researcher, an academic, an independent exploit developer, or something else, is not answered by the evidence we captured.

If you have prior reporting that names this operator or infrastructure, please reach out — we will update this post and credit.

C2 / Collection Architecture

Victim Browser (Chrome 146, typically Pixel 2 or Pixel 4)
    │  HTTP GET — PoC delivery
    ▼
server.py:80  /  server_threaded.py:80
    │  serves HTML from /tmp/pocs/
    │
    │  HTTP POST /report (JSON exfiltration)
    ▼
/tmp/poc_results/result_{timestamp}.json
    │
    │  HTTP GET /results (aggregation)
    ▼
result_server.py:8080

Fields observed in exfiltrated payloads:

test — PoC identifier
timestamp — ISO-8601 execution time
userAgent — full browser UA string
renderer — GPU renderer string (e.g. Adreno (TM) 640)
vendor — GPU vendor
results — test-specific data: crash counts, leaked hex bytes, corruption rates, freelist pointers

CORS is wildcard, meaning any domain can embed the PoC files and submit results back to server.py. That also means a defender setting a tarpit or sandbox can point at these endpoints and observe the protocol without triggering origin restrictions.

IOCs

Network:

100.48.195[.]190                                  exploit-host IP
http://100.48.195[.]190:80/                       open directory root
http://100.48.195[.]190:80/report                 C2 exfiltration endpoint
ec2-100-48-195-190[.]compute-1[.]amazonaws[.]com  reverse DNS
80/tcp                                             PoC delivery + result collection
8080/tcp                                           result aggregation
Server: SimpleHTTP/0.6 Python/3.10.12              banner

File hashes (SHA-256):

fed824ecf9b2723df754ddc530a5fec5fc1f52259f1ff1b95e46338fda495e5e  cve_2026_4440_poc.html
afe0a661a82bad8bfacd4b4fdbb0c38112b4116993a29f812d2d83bd54d7dd45  cve_2026_4440_targeted_poc.html
021c7f6dd0655c1611bcb59f5d0894b13484bd1338f3bcee1a6a4d76c1d02e0c  cve_2026_4440_comparison_poc.html
2887693584bab11e22383825402602b35f7b5a3fa114f3c5e81d887b8cae07e2  cve_4440_65layer_heap_overflow.html
692f2629a33de1f7fa973cb5c83aa8835f3ac8bb396d4b6ee0cf2cadc980868a  cve_4440_cubemap_and_compressed.html
cc8d7d58a5cc4d410ea6b680c23d8754b3029be464f74d9444ac56501dc2c21e  cve_4440_format_conversion.html
ff9ca959412b086ec3c8def9e9dac24208cbde70c7042e9feea03a1c92999a7a  stage1_combined_demo.html
019245f443fe1b68926dad658fbf98fca6918ae33c21446209a488b4d08af713  poc_mapbufferrange_overlap_exploit.html
8e2475d293e307b97e7fcf34845d7f6047141b8795d4d912d2bd78b988861e35  poc_mapbufferrange_toctou.html
90567738e21b85be8365fce026a81d00109e802345bcdc0556c471efeb0d8753  poc_mapbufferrange_crash_test.html
93cb956290ea727b58be3d134872830c4f90b0f3747bd036bd05c1fdac3ef8ff  poc_index_buffer_oob.html
2c0def09409b4ce4767935a8dcaa25e44d3b9769aca5b74ffa29026de7dc283b  index_buffer_oob_pixel2.html
f90cd96834d8dac0183ee569e396ca0e9b56f8248a74bd00aa62a010c04bfa00  poc_vpx_bucket_gaps.html
75a4de9e9bfad99d94c3d7c31a0a81f91c57261f9af7a2cee907e37a8f7f49b2  gpu_info.html
2e05f417726c4aafb61a88dede3156e33ac62c7b944342272336323c60179e59  gpu_limits_probe.html
4c6d562a68d10242d158b8a1a1a0d9dd951eccf0f48b103cbe6210e2ddafe0f1  pixel4_crash_diagnostic.html
452d4f3b4f3ce2abda1825088a77383316319f9f0c3a43c55be5f34ef88b8463  jspi_probe.html
016b89b322f35fda0381db9febe63d71b44aa0ce555d0fc5eaaf79f9e0f1b64d  jspi_functional_test.html
a41ab944ec53b4655632ea79b1b6bda313f4436bcfe953178f7995916d48635a  jspi_test_v2.html
85bfcc2ed51c56b4e7beba47edbe257f518b0373f7437a8c6bab319fc889c951  server.py
d1392d08d6575bfae23b7e886724c1903c8266c46a1a113ba2608a15d095302a  server_threaded.py
586e6c9d916115aaed65215cd37e20254d17c7ae8d7fd9b3d8317e628936995f  result_server.py

Detection patterns:

HTTP POST /report with JSON body containing `"test":` field   → toolkit C2 callback
texStorage3D(depth >= 64, RGBA8 at 4096x4096)                  → CVE-2026-4440 trigger
getBufferSubData(nonZeroOffset) on STREAM_READ buffer          → MapBufferRange UAF
srcOffset.valueOf() + buffer.transfer(0) pattern               → PassAsSpan UAF
WEBGL_debug_renderer_info query from JS context                → GPU fingerprinting

MITRE ATT&CK Mapping

Technique ID	Name	Observed use
T1190	Exploit Public-Facing Application	WebGL exploit delivery via browser
T1203	Exploitation for Client Execution	CVE-2026-4440 triggers code in GPU process
T1005	Data from Local System	GPU memory leak reveals cross-process data
T1082	System Information Discovery	`gpu_info.html` enumerates GPU capabilities
T1041	Exfiltration Over C2 Channel	`POST /report` sends victim data to operator server
T1059.007	JavaScript	All PoCs execute via browser JS + WebGL
T1587.004	Develop Capabilities: Exploits	Active iterative exploit development
T1583.003	Acquire Infrastructure: Virtual Private Server	AWS EC2 hosting
T1588.005	Obtain Capabilities: Exploits	CVE-2026-4440 (patched but still targetable on unpatched Chrome)
T1499.004	Application or System DoS: Application Exhaustion	GPU process crash via heap overflow

Recommendations for Defenders

Confirm Chrome is at 146.0.7680.153 or higher across your fleet. CVE-2026-4440 is fully patched above that build. Android fleets are the highest priority given the Pixel 2 / Pixel 4 specific tuning in the toolkit.
Deploy network detections on the signature patterns listed above, particularly POST /report JSON callbacks and the texStorage3D-depth-≥-64 WebGL API pattern.
Add all 22 SHA-256 hashes to hash-feed blocklists and retrohunt jobs.
Add 100.48.195[.]190 to egress-block lists. The EC2 instance may still be under the same operator's control and is the primary network IOC.
For Android managed fleets, consider blocking WebGL cubemap and compressed-texture paths until patch compliance hits 100%, given the cubemap + ETC2/ASTC alternative overflow variant.
Submit any captured samples to MalwareBazaar / VirusTotal to widen the community-detection footprint.

Disclosure

AWS Trust & Safety — for 100.48.195[.]190 (us-east-1 EC2 instance, open directory hosting active exploit development content)
Google Chrome Security — for awareness that an operator is iterating CVE-2026-4440 PoCs across multiple overflow paths; the MapBufferRange fix (commit 7500f1d7, main branch, 2026-03-17) should be verified as cherry-picked to stable if it has not already
MITRE — for CVE mapping accuracy
CERT/CC and Google Android Security — for the Pixel 2 / Pixel 4 hardware-specific targeting pattern

GHOST — Breakglass Intelligence "One indicator. Total infrastructure." Original disclosure: @1ZRR4H. This post was briefly taken down April 19–20, 2026 while we revised attribution framing; the technical content is unchanged from the original version.