diff --git a/lib/internal/webstreams/readablestream.js b/lib/internal/webstreams/readablestream.js
index 4f7eb5ce95b56e..c7a89373e99bcd 100644
--- a/lib/internal/webstreams/readablestream.js
+++ b/lib/internal/webstreams/readablestream.js
@@ -97,9 +97,6 @@ const {
 } = require('internal/streams/utils');
 
 const {
-  ArrayBufferViewGetBuffer,
-  ArrayBufferViewGetByteLength,
-  ArrayBufferViewGetByteOffset,
   AsyncIterator,
   canCopyArrayBuffer,
   cloneAsUint8Array,
@@ -110,6 +107,7 @@ const {
   enqueueValueWithSize,
   extractHighWaterMark,
   extractSizeAlgorithm,
+  getArrayBufferView,
   getNonWritablePropertyDescriptor,
   isBrandCheck,
   kState,
@@ -692,8 +690,9 @@ class ReadableStreamBYOBRequest {
         'This BYOB request has been invalidated');
     }
 
-    const viewByteLength = ArrayBufferViewGetByteLength(view);
-    const viewBuffer = ArrayBufferViewGetBuffer(view);
+    const arrayBufferView = getArrayBufferView(view);
+    const viewBuffer = arrayBufferView[0];
+    const viewByteLength = arrayBufferView[2];
     const viewBufferByteLength = ArrayBufferPrototypeGetByteLength(viewBuffer);
 
     if (ArrayBufferPrototypeGetDetached(viewBuffer)) {
@@ -984,8 +983,9 @@ class ReadableStreamBYOBReader {
     }
     validateObject(options, 'options', kValidateObjectAllowObjectsAndNull);
 
-    const viewByteLength = ArrayBufferViewGetByteLength(view);
-    const viewBuffer = ArrayBufferViewGetBuffer(view);
+    const arrayBufferView = getArrayBufferView(view);
+    const viewBuffer = arrayBufferView[0];
+    const viewByteLength = arrayBufferView[2];
 
     if (isSharedArrayBuffer(viewBuffer)) {
       throw new ERR_INVALID_ARG_VALUE(
@@ -1202,8 +1202,9 @@ class ReadableByteStreamController {
     if (!isReadableByteStreamController(this))
       throw new ERR_INVALID_THIS('ReadableByteStreamController');
     validateBuffer(chunk);
-    const chunkByteLength = ArrayBufferViewGetByteLength(chunk);
-    const chunkBuffer = ArrayBufferViewGetBuffer(chunk);
+    const arrayBufferView = getArrayBufferView(chunk);
+    const chunkBuffer = arrayBufferView[0];
+    const chunkByteLength = arrayBufferView[2];
 
     if (isSharedArrayBuffer(chunkBuffer)) {
       throw new ERR_INVALID_ARG_VALUE(
@@ -2749,9 +2750,10 @@ function readableByteStreamControllerPullInto(
   assert(minimumFill >= elementSize && minimumFill <= view.byteLength);
   assert(minimumFill % elementSize === 0);
 
-  const buffer = ArrayBufferViewGetBuffer(view);
-  const byteOffset = ArrayBufferViewGetByteOffset(view);
-  const byteLength = ArrayBufferViewGetByteLength(view);
+  const arrayBufferView = getArrayBufferView(view);
+  const buffer = arrayBufferView[0];
+  const byteOffset = arrayBufferView[1];
+  const byteLength = arrayBufferView[2];
   const bufferByteLength = ArrayBufferPrototypeGetByteLength(buffer);
 
   let transferredBuffer;
@@ -2892,9 +2894,10 @@ function readableByteStreamControllerEnqueue(controller, chunk) {
     stream,
   } = controller[kState];
 
-  const buffer = ArrayBufferViewGetBuffer(chunk);
-  const byteOffset = ArrayBufferViewGetByteOffset(chunk);
-  const byteLength = ArrayBufferViewGetByteLength(chunk);
+  const arrayBufferView = getArrayBufferView(chunk);
+  const buffer = arrayBufferView[0];
+  const byteOffset = arrayBufferView[1];
+  const byteLength = arrayBufferView[2];
 
   if (closeRequested || stream[kState].state !== 'readable')
     return;
@@ -3187,9 +3190,10 @@ function readableByteStreamControllerRespondWithNewView(controller, view) {
   const desc = pendingPullIntos[0];
   assert(stream[kState].state !== 'errored');
 
-  const viewByteLength = ArrayBufferViewGetByteLength(view);
-  const viewByteOffset = ArrayBufferViewGetByteOffset(view);
-  const viewBuffer = ArrayBufferViewGetBuffer(view);
+  const arrayBufferView = getArrayBufferView(view);
+  const viewBuffer = arrayBufferView[0];
+  const viewByteOffset = arrayBufferView[1];
+  const viewByteLength = arrayBufferView[2];
   const viewBufferByteLength = ArrayBufferPrototypeGetByteLength(viewBuffer);
 
   if (stream[kState].state === 'closed') {
diff --git a/lib/internal/webstreams/util.js b/lib/internal/webstreams/util.js
index 1f6d648ada9eed..9efee974625973 100644
--- a/lib/internal/webstreams/util.js
+++ b/lib/internal/webstreams/util.js
@@ -1,19 +1,14 @@
 'use strict';
 
 const {
-  ArrayBufferPrototypeGetByteLength,
-  ArrayBufferPrototypeGetDetached,
-  ArrayBufferPrototypeSlice,
   ArrayPrototypePush,
   ArrayPrototypeShift,
   AsyncIteratorPrototype,
-  FunctionPrototypeCall,
   MathMax,
   NumberIsNaN,
   PromisePrototypeThen,
-  ReflectGet,
+  ReflectApply,
   Symbol,
-  Uint8Array,
 } = primordials;
 
 const {
@@ -27,16 +22,19 @@ const {
 } = internalBinding('buffer');
 
 const {
-  inspect,
-} = require('util');
-
-const {
+  canCopyArrayBuffer,
+  cloneAsUint8Array,
   constants: {
     kPending,
   },
+  getArrayBufferView,
   getPromiseDetails,
 } = internalBinding('util');
 
+const {
+  inspect,
+} = require('util');
+
 const assert = require('internal/assert');
 
 const {
@@ -87,38 +85,11 @@ function customInspect(depth, options, name, data) {
   return `${name} ${inspect(data, opts)}`;
 }
 
-// These are defensive to work around the possibility that
-// the buffer, byteLength, and byteOffset properties on
-// ArrayBuffer and ArrayBufferView's may have been tampered with.
-
-function ArrayBufferViewGetBuffer(view) {
-  return ReflectGet(view.constructor.prototype, 'buffer', view);
-}
-
-function ArrayBufferViewGetByteLength(view) {
-  return ReflectGet(view.constructor.prototype, 'byteLength', view);
-}
-
-function ArrayBufferViewGetByteOffset(view) {
-  return ReflectGet(view.constructor.prototype, 'byteOffset', view);
-}
-
-function cloneAsUint8Array(view) {
-  const buffer = ArrayBufferViewGetBuffer(view);
-  const byteOffset = ArrayBufferViewGetByteOffset(view);
-  const byteLength = ArrayBufferViewGetByteLength(view);
-  return new Uint8Array(
-    ArrayBufferPrototypeSlice(buffer, byteOffset, byteOffset + byteLength),
-  );
-}
-
-function canCopyArrayBuffer(toBuffer, toIndex, fromBuffer, fromIndex, count) {
-  return toBuffer !== fromBuffer &&
-    !ArrayBufferPrototypeGetDetached(toBuffer) &&
-    !ArrayBufferPrototypeGetDetached(fromBuffer) &&
-    toIndex + count <= ArrayBufferPrototypeGetByteLength(toBuffer) &&
-    fromIndex + count <= ArrayBufferPrototypeGetByteLength(fromBuffer);
-}
+// getArrayBufferView, canCopyArrayBuffer, and cloneAsUint8Array are
+// implemented in src/node_util.cc via direct V8 API calls. They are immune to
+// user tampering of typed-array prototypes (matching the defensive behavior of
+// the previous Reflect.get-based JS implementation) and faster on hot
+// byte-stream paths.
 
 function isBrandCheck(brand) {
   return (value) => {
@@ -169,25 +140,9 @@ function enqueueValueWithSize(controller, value, size) {
   controller[kState].queueTotalSize += size;
 }
 
-// Arity-specialized variants of the promise-callback wrapper. The generic
-// rest-parameter + ReflectApply form allocated an arguments array on every
-// invocation; these run on per-chunk hot paths (pull/write/transform), so
-// each known call-site arity gets its own wrapper. The exact number of
-// arguments passed through to the user callback is observable and must be
-// preserved.
-function createPromiseCallbackNoParams(name, fn, thisArg) {
-  validateFunction(fn, name);
-  return async () => FunctionPrototypeCall(fn, thisArg);
-}
-
-function createPromiseCallback1Param(name, fn, thisArg) {
-  validateFunction(fn, name);
-  return async (arg) => FunctionPrototypeCall(fn, thisArg, arg);
-}
-
-function createPromiseCallback2Params(name, fn, thisArg) {
+function createPromiseCallback(name, fn, thisArg) {
   validateFunction(fn, name);
-  return async (arg1, arg2) => FunctionPrototypeCall(fn, thisArg, arg1, arg2);
+  return async (...args) => ReflectApply(fn, thisArg, args);
 }
 
 function isPromisePending(promise) {
@@ -222,21 +177,17 @@ function lazyTransfer() {
 }
 
 module.exports = {
-  ArrayBufferViewGetBuffer,
-  ArrayBufferViewGetByteLength,
-  ArrayBufferViewGetByteOffset,
   AsyncIterator,
   canCopyArrayBuffer,
   cloneAsUint8Array,
   copyArrayBuffer,
-  createPromiseCallbackNoParams,
-  createPromiseCallback1Param,
-  createPromiseCallback2Params,
+  createPromiseCallback,
   customInspect,
   dequeueValue,
   enqueueValueWithSize,
   extractHighWaterMark,
   extractSizeAlgorithm,
+  getArrayBufferView,
   getNonWritablePropertyDescriptor,
   isBrandCheck,
   isPromisePending,
diff --git a/src/node_buffer.cc b/src/node_buffer.cc
index 9adb02517efc42..54fc48106db771 100644
--- a/src/node_buffer.cc
+++ b/src/node_buffer.cc
@@ -1524,6 +1524,16 @@ static void SetDetachKey(const FunctionCallbackInfo<Value>& args) {
 
 namespace {
 
+bool ReadNonNegativeInteger(Local<Value> value, uint64_t* result) {
+  constexpr double kMaxSafeInteger = static_cast<double>((1LL << 53) - 1);
+  double number = value.As<Number>()->Value();
+  if (number < 0 || number > kMaxSafeInteger) {
+    return false;
+  }
+  *result = static_cast<uint64_t>(number);
+  return static_cast<double>(*result) == number;
+}
+
 std::pair<void*, size_t> DecomposeBufferToParts(Local<Value> buffer) {
   void* pointer;
   size_t byte_length;
@@ -1551,10 +1561,10 @@ void CopyArrayBuffer(const FunctionCallbackInfo<Value>& args) {
   // args[4] == bytesToCopy
 
   CHECK(args[0]->IsArrayBuffer() || args[0]->IsSharedArrayBuffer());
-  CHECK(args[1]->IsUint32());
+  CHECK(args[1]->IsNumber());
   CHECK(args[2]->IsArrayBuffer() || args[2]->IsSharedArrayBuffer());
-  CHECK(args[3]->IsUint32());
-  CHECK(args[4]->IsUint32());
+  CHECK(args[3]->IsNumber());
+  CHECK(args[4]->IsNumber());
 
   void* destination;
   size_t destination_byte_length;
@@ -1565,16 +1575,21 @@ void CopyArrayBuffer(const FunctionCallbackInfo<Value>& args) {
   size_t source_byte_length;
   std::tie(source, source_byte_length) = DecomposeBufferToParts(args[2]);
 
-  uint32_t destination_offset = args[1].As<Uint32>()->Value();
-  uint32_t source_offset = args[3].As<Uint32>()->Value();
-  size_t bytes_to_copy = args[4].As<Uint32>()->Value();
-
-  CHECK_GE(destination_byte_length - destination_offset, bytes_to_copy);
-  CHECK_GE(source_byte_length - source_offset, bytes_to_copy);
-
-  uint8_t* dest = static_cast<uint8_t*>(destination) + destination_offset;
-  uint8_t* src = static_cast<uint8_t*>(source) + source_offset;
-  memcpy(dest, src, bytes_to_copy);
+  uint64_t destination_offset;
+  uint64_t source_offset;
+  uint64_t bytes_to_copy;
+  CHECK(ReadNonNegativeInteger(args[1], &destination_offset));
+  CHECK(ReadNonNegativeInteger(args[3], &source_offset));
+  CHECK(ReadNonNegativeInteger(args[4], &bytes_to_copy));
+
+  CHECK_LE(destination_offset, static_cast<uint64_t>(destination_byte_length));
+  CHECK_LE(source_offset, static_cast<uint64_t>(source_byte_length));
+  CHECK_LE(bytes_to_copy, static_cast<uint64_t>(destination_byte_length) - destination_offset);
+  CHECK_LE(bytes_to_copy, static_cast<uint64_t>(source_byte_length) - source_offset);
+
+  uint8_t* dest = static_cast<uint8_t*>(destination) + static_cast<size_t>(destination_offset);
+  uint8_t* src = static_cast<uint8_t*>(source) + static_cast<size_t>(source_offset);
+  memcpy(dest, src, static_cast<size_t>(bytes_to_copy));
 }
 
 // Converts a number parameter to size_t suitable for ArrayBuffer sizes
diff --git a/src/node_util.cc b/src/node_util.cc
index 6d3373caae6c5c..3944b0d5e98549 100644
--- a/src/node_util.cc
+++ b/src/node_util.cc
@@ -27,6 +27,7 @@ using v8::Local;
 using v8::LocalVector;
 using v8::MaybeLocal;
 using v8::Name;
+using v8::Number;
 using v8::Object;
 using v8::ObjectTemplate;
 using v8::ONLY_CONFIGURABLE;
@@ -42,6 +43,7 @@ using v8::StackFrame;
 using v8::StackTrace;
 using v8::String;
 using v8::Uint32;
+using v8::Uint8Array;
 using v8::Value;
 
 // If a UTF-16 character is a low/trailing surrogate.
@@ -194,6 +196,106 @@ void ArrayBufferViewHasBuffer(const FunctionCallbackInfo<Value>& args) {
   args.GetReturnValue().Set(args[0].As<ArrayBufferView>()->HasBuffer());
 }
 
+// Returns [buffer, byteOffset, byteLength] in a single binding crossing,
+// equivalent to reading the three properties via
+// Reflect.get(view.constructor.prototype, ..., view). Uses the V8 API
+// directly so it is immune to prototype tampering and avoids the JS-side
+// overhead of the defensive accessors in lib/internal/.
+void GetArrayBufferView(const FunctionCallbackInfo<Value>& args) {
+  Isolate* isolate = args.GetIsolate();
+  CHECK(args[0]->IsArrayBufferView());
+  Local<ArrayBufferView> view = args[0].As<ArrayBufferView>();
+  Local<Value> values[] = {
+      view->Buffer(),
+      Number::New(isolate, static_cast<double>(view->ByteOffset())),
+      Number::New(isolate, static_cast<double>(view->ByteLength())),
+  };
+  args.GetReturnValue().Set(Array::New(isolate, values, arraysize(values)));
+}
+
+static bool ReadNonNegativeInteger(Local<Value> value, uint64_t* result) {
+  constexpr double kMaxSafeInteger = 9007199254740991.0;
+  double number = value.As<Number>()->Value();
+  if (number < 0 || number > kMaxSafeInteger) {
+    return false;
+  }
+  *result = static_cast<uint64_t>(number);
+  return static_cast<double>(*result) == number;
+}
+
+// Returns true iff bytes can be safely copied between the buffers given the
+// requested offsets and count. Matches lib/internal/webstreams/util.js:
+//   toBuffer !== fromBuffer &&
+//   !toBuffer.detached &&
+//   !fromBuffer.detached &&
+//   toIndex + count <= toBuffer.byteLength &&
+//   fromIndex + count <= fromBuffer.byteLength
+void CanCopyArrayBuffer(const FunctionCallbackInfo<Value>& args) {
+  CHECK(args[0]->IsArrayBuffer() || args[0]->IsSharedArrayBuffer());
+  CHECK(args[1]->IsNumber());
+  CHECK(args[2]->IsArrayBuffer() || args[2]->IsSharedArrayBuffer());
+  CHECK(args[3]->IsNumber());
+  CHECK(args[4]->IsNumber());
+
+  // SharedArrayBuffer handles are interoperable with ArrayBuffer handles in
+  // V8, so we can use the ArrayBuffer accessors uniformly. WasDetached()
+  // always returns false on a SAB.
+  Local<ArrayBuffer> to_buffer = args[0].As<ArrayBuffer>();
+  Local<ArrayBuffer> from_buffer = args[2].As<ArrayBuffer>();
+
+  if (to_buffer->StrictEquals(from_buffer)) {
+    args.GetReturnValue().Set(false);
+    return;
+  }
+  if (to_buffer->WasDetached() || from_buffer->WasDetached()) {
+    args.GetReturnValue().Set(false);
+    return;
+  }
+
+  uint64_t to_index;
+  uint64_t from_index;
+  uint64_t count;
+  if (!ReadNonNegativeInteger(args[1], &to_index) ||
+      !ReadNonNegativeInteger(args[3], &from_index) ||
+      !ReadNonNegativeInteger(args[4], &count)) {
+    args.GetReturnValue().Set(false);
+    return;
+  }
+
+  const uint64_t to_byte_length = to_buffer->ByteLength();
+  const uint64_t from_byte_length = from_buffer->ByteLength();
+
+  bool ok = to_index <= to_byte_length && count <= to_byte_length - to_index &&
+            from_index <= from_byte_length &&
+            count <= from_byte_length - from_index;
+  args.GetReturnValue().Set(ok);
+}
+
+// Equivalent to:
+//   new Uint8Array(view.buffer.slice(view.byteOffset,
+//                                    view.byteOffset + view.byteLength))
+// Allocates a fresh ArrayBuffer with the view's bytes copied into it, then
+// returns a Uint8Array over the full new buffer. Avoids the JS-side
+// Reflect.get + slice round-trip.
+void CloneAsUint8Array(const FunctionCallbackInfo<Value>& args) {
+  Environment* env = Environment::GetCurrent(args);
+  Isolate* isolate = env->isolate();
+  CHECK(args[0]->IsArrayBufferView());
+  Local<ArrayBufferView> view = args[0].As<ArrayBufferView>();
+  size_t byte_length = view->ByteLength();
+  Local<ArrayBuffer> new_buffer;
+  if (!ArrayBuffer::MaybeNew(isolate, byte_length).ToLocal(&new_buffer)) {
+    // MaybeNew does not schedule an exception on allocation failure.
+    THROW_ERR_MEMORY_ALLOCATION_FAILED(isolate);
+    return;
+  }
+  if (byte_length > 0) {
+    size_t copied = view->CopyContents(new_buffer->Data(), byte_length);
+    CHECK_EQ(copied, byte_length);
+  }
+  args.GetReturnValue().Set(Uint8Array::New(new_buffer, 0, byte_length));
+}
+
 static uint32_t GetUVHandleTypeCode(const uv_handle_type type) {
   // TODO(anonrig): We can use an enum here and then create the array in the
   // binding, which will remove the hard-coding in C++ and JS land.
@@ -480,6 +582,9 @@ void RegisterExternalReferences(ExternalReferenceRegistry* registry) {
   registry->Register(GetExternalValue);
   registry->Register(Sleep);
   registry->Register(ArrayBufferViewHasBuffer);
+  registry->Register(GetArrayBufferView);
+  registry->Register(CanCopyArrayBuffer);
+  registry->Register(CloneAsUint8Array);
   registry->Register(GuessHandleType);
   registry->Register(fast_guess_handle_type_);
   registry->Register(ParseEnv);
@@ -589,6 +694,11 @@ void Initialize(Local<Object> target,
   SetMethod(context, target, "parseEnv", ParseEnv);
   SetMethod(
       context, target, "arrayBufferViewHasBuffer", ArrayBufferViewHasBuffer);
+  SetMethodNoSideEffect(
+      context, target, "getArrayBufferView", GetArrayBufferView);
+  SetMethodNoSideEffect(
+      context, target, "canCopyArrayBuffer", CanCopyArrayBuffer);
+  SetMethod(context, target, "cloneAsUint8Array", CloneAsUint8Array);
   SetMethod(context,
             target,
             "constructSharedArrayBuffer",
diff --git a/test/parallel/test-util-internal.js b/test/parallel/test-util-internal.js
index e2b500daa70060..b446042ac3b226 100644
--- a/test/parallel/test-util-internal.js
+++ b/test/parallel/test-util-internal.js
@@ -7,6 +7,9 @@ const fixtures = require('../common/fixtures');
 const { internalBinding } = require('internal/test/binding');
 
 const {
+  canCopyArrayBuffer,
+  cloneAsUint8Array,
+  getArrayBufferView,
   privateSymbols: {
     arrow_message_private_symbol,
   },
@@ -28,3 +31,28 @@ try {
 }
 
 assert.match(arrowMessage, /bad_syntax\.js:1/);
+
+{
+  const view = new Uint8Array(new ArrayBuffer(8), 2, 4);
+  assert.deepStrictEqual(getArrayBufferView(view), [view.buffer, 2, 4]);
+
+  const sabView = new Uint8Array(new SharedArrayBuffer(8), 2, 4);
+  assert.deepStrictEqual(getArrayBufferView(sabView), [sabView.buffer, 2, 4]);
+}
+
+{
+  const source = new Uint8Array([1, 2, 3, 4]);
+  const clone = cloneAsUint8Array(source.subarray(1, 3));
+  assert.deepStrictEqual([...clone], [2, 3]);
+  assert.notStrictEqual(clone.buffer, source.buffer);
+}
+
+{
+  const to = new ArrayBuffer(8);
+  const from = new ArrayBuffer(8);
+  const sab = new SharedArrayBuffer(8);
+  assert.strictEqual(canCopyArrayBuffer(to, 0, from, 0, 8), true);
+  assert.strictEqual(canCopyArrayBuffer(sab, 0, from, 0, 8), true);
+  assert.strictEqual(canCopyArrayBuffer(to, 2 ** 32, from, 0, 1), false);
+  assert.strictEqual(canCopyArrayBuffer(to, 0, from, 0, 2 ** 32), false);
+}