Google Chrome V8 Object Corruption Vulnerability Allowing Heap Corruption Exploitation

A high-severity object corruption vulnerability has been identified in the V8 JavaScript engine used by Google Chrome. This issue affects Chrome versions prior to 132.0.6834.110. The vulnerability allows remote attackers to potentially exploit heap corruption by delivering a crafted HTML page.

Impact

Exploitation of this vulnerability leads to memory corruption, which can be used to execute arbitrary code in the context of the Chrome renderer.

Reproduction

The vulnerability can be reproduced by creating a JavaScript function that triggers optimization in the V8 engine's Maglev compiler. This can be done by using the 'OptimizeOsr' function. The crafted function should manipulate control flow to create a loop that the optimizer will handle incorrectly, leading to a state where a register value is lost. This can be achieved by, for example, using a loop that only has one predecessor, which will cause the register allocator to clear live register values. After this manipulation, the function can be called in a way that exploits the incorrect handling, such as by using a value that forces a type conversion and then accessing a property that triggers the vulnerability.

Remediation

Users should update to Google Chrome version 132.0.6834.110 or later, where this vulnerability has been fixed.