The analysis of this bug can be found here.

The exploit here is tested on the official build of Chrome version 125.0.6422.112, on Ubuntu 22.04. The following build config was used to build Chromium:

is_debug = false
symbol_level = 1
blink_symbol_level = 1
dcheck_always_on = false
is_official_build = true
chrome_pgo_phase = 0
v8_symbol_level = 1

If successful, on Ubuntu 22.04, it should call launch xcalc when calc.html is opened in Chrome.

Shell code and some addresses may need changing on other platforms.