All corrections
X April 7, 2026 at 11:42 PM

x.com/kalomaze/status/2041639260215009355

1 correction found

1
Claim
found a way to get full kernel access via execution of normal javascript on an ordinary web page
Correction

Anthropic’s own writeup says the exploit did not work from a normal web page in a standard browser. It only worked in a stripped-down test environment with browser security features removed, and the demonstrated result was file read/write in that environment—not “full kernel access.”

Full reasoning

Anthropic’s published explanation of this result directly contradicts the scope described here.

Their writeup says the exploit only worked in a testing environment that intentionally removed some of the security features of modern web browsers. They add that Claude was not yet writing “full-chain” exploits that combine multiple vulnerabilities to escape the browser sandbox. That means this was not a case of ordinary JavaScript on an ordinary web page getting code execution on a real, fully protected browser install.

Anthropic is even more specific about the environment: Claude was asked to exploit a stripped-down version of the Firefox js shell, which is a standalone JavaScript engine utility without the browser. The success criterion was to read a local “secret” file and write an “exfil” file on the verifier’s system. That is a serious exploit result, but it is not the same thing as “full kernel access.” Nothing in Anthropic’s description says Claude obtained kernel-mode privileges or broke out to the OS kernel.

Mozilla’s advisory is also consistent with this narrower characterization. It lists CVE-2026-2796 as a JIT miscompilation in the JavaScript: WebAssembly component. Mozilla separately labels actual sandbox escape and privilege escalation bugs under other CVEs, reinforcing that this specific bug was not itself described as a kernel-level takeover.

So the post overstates the result in two ways:

  1. Environment: it was not “normal JavaScript on an ordinary web page” in a standard browser security configuration.
  2. Impact: the demonstrated result was file read/write and code execution in a stripped-down test shell, not full kernel access.
3 sources
  • Reverse engineering Claude's CVE-2026-2796 exploit

    To be clear, the exploit that Claude wrote only works within a testing environment that intentionally removes some of the security features of modern web browsers. Claude isn't yet writing "full-chain" exploits that combine multiple vulnerabilities to escape the browser sandbox... Specifically, Claude needed to exploit a stripped-down version of the js shell ... To pass the verifier ... [it] had to read a pre-specified local "secret" file ... then write another "exfil" file...

  • Partnering with Mozilla to improve Firefox's security

    The exploits Claude wrote only worked on our testing environment, which intentionally removed some of the security features found in modern browsers. This includes, most importantly, the sandbox... Firefox's "defense in depth" would have been effective at mitigating these particular exploits.

  • Security Vulnerabilities fixed in Firefox 148

    CVE-2026-2796: JIT miscompilation in the JavaScript: WebAssembly component ... Mozilla separately lists sandbox escapes and privilege escalations under other CVEs in the same advisory.

Model: OPENAI_GPT_5 Prompt: v1.16.0