Clicking an unknown link has always been risky advice, but a new exploit published today makes the danger more visceral than ever. YC-backed security startup Nebula Security has released "IonStack" — a working, full-chain browser-to-kernel exploit that roots a fully updated Android 17 phone from a single malicious URL, no further interaction required.
The attack strings together two previously unknown vulnerabilities discovered by VEGA, Nebula's AI code-scanning agent: a miscompilation flaw in Firefox's JavaScript engine, and a privilege escalation bug that has been sitting unnoticed in the Linux kernel — and therefore in every major Linux distribution — for over 15 years.
The Firefox flaw, CVE-2026-10702, is a JIT miscompilation in the JavaScript Engine component, reported by Nebula Security and patched in Firefox 151.0.3, released June 2, 2026.
The "Ion" in IonStack is a direct reference to IonMonkey — Firefox's JIT (Just-in-Time) compiler, which speeds up JavaScript by converting it to native machine code on the fly.
POC Demo
A flaw in how that compilation handles certain operations lets an attacker corrupt memory and break entirely out of the browser's security sandbox. From there, the second 0-day takes over: it escalates from the browser process directly into the Linux kernel, granting root access on the device. Full phone control from a single tap on a link.
The implications extend well beyond Android. Nebula's demo targets Firefox 151 on Android arm64, but the Linux kernel component affects the same kernel that powers servers, cloud infrastructure, and hundreds of millions of Linux desktops worldwide.
What makes this disclosure genuinely unsettling for the broader industry isn't just the exploit — it's the methodology. VEGA found both zero-days autonomously through code scanning. No human audit. No conference deadline. If a security startup's AI agent can surface critical bugs in a browser JIT compiler and a decade-and-a-half-old kernel flaw in the same sweep, the same class of tooling in less careful hands represents a real and accelerating threat.
Nebula states that both vulnerabilities were disclosed to the respective vendors before the public demo. The exploit's source code is set for public release shortly, with a countdown visible on Nebula's demo site. VEGA is currently available in private beta for enterprise customers.
What to do: Update Firefox to version 151.0.3 or later immediately — it's available now across Windows, macOS, Linux, and Android. Android users should also apply any pending June 2026 security patches to address the kernel-level component. If your device manufacturer hasn't pushed updates, check manually under Settings → System → Security Update.