Google Chrome V8 Heap Buffer Overflow Vulnerability Allowing Heap Corruption Exploitation

A heap buffer overflow vulnerability has been identified in the V8 JavaScript engine used by Google Chrome. This issue affects Chrome versions prior to 133.0.6943.126. The vulnerability allows remote attackers to potentially exploit heap corruption by crafting a malicious HTML page. The root cause of the vulnerability lies in the Wasm-to-JS wrapper compilation, where an overly large number of parameters can lead to out-of-bounds memory access, causing heap memory corruption.

Impact

Exploitation of this vulnerability leads to heap memory corruption, allowing for out-of-bounds memory access and potential manipulation of memory contents. This type of memory corruption can commonly be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the browser.

Reproduction

The vulnerability can be reproduced by compiling a WebAssembly (Wasm) module that calls a JavaScript function with an excessively high number of parameters, specifically 0xfffa or more. This can be done using the WasmModuleBuilder to create a function that exceeds the JavaScript parameter limit, and then importing it into a Wasm module that is executed in the Chrome browser. The out-of-bounds access can be observed as a heap-buffer-overflow error, indicating that the memory corruption vulnerability has been successfully triggered.

Remediation

Users can update to Google Chrome version 133.0.6943.126 or later, where this vulnerability has been fixed.