Google Chrome V8 Use-After-Free Vulnerability Allowing Heap Corruption and Potential Remote Code Execution

A use-after-free vulnerability has been identified in the V8 JavaScript engine of Google Chrome, in versions prior to 133.0.6943.98. This vulnerability allows remote attackers to potentially exploit heap corruption by crafting a malicious HTML page. The issue arises from the improper management of WebAssembly code references, which can be manipulated to prematurely free JIT-compiled code, leading to memory corruption and the possibility of executing arbitrary code.

Impact

Exploitation of this vulnerability can lead to heap corruption, allowing for memory manipulation and potentially arbitrary code execution within the Chrome renderer process, which is sandboxed.

Reproduction

The vulnerability can be reproduced by hosting a WebAssembly module that takes advantage of the `WasmImportWrapperCache` to 'resurrect' a `WasmCode` object that has been marked as 'potentially dead'. Once the object is 'resurrected', it can be manipulated to create a dangling pointer in the Wasm code lookup cache. This pointer can then be exploited by spraying the heap with new `WasmCode` instances, taking control of the metadata of the dangling wrapper's stack frame. This manipulation can be used to create dangling heap objects that can be exploited to execute arbitrary code.

Remediation

Users can update to Google Chrome version 133.0.6943.98 or later, where this vulnerability has been fixed.