Chrome in-the-wild bug analysis: CVE-2021-30632

On September 13, 2021, Google released Chrome version 93.0.4577.82, addressing two critical security vulnerabilities, CVE-2021-30632 and CVE-2021-30633, that were being actively exploited. These vulnerabilities involved a type confusion bug in the JIT compiler and a use-after-free bug in the IndexedDB API, allowing for a full remote compromise of Chrome through remote code execution and sandbox escape. The analysis explores the intricacies of the JIT compiler in Chrome’s v8 JavaScript engine, particularly focusing on property access optimizations, map stability, and transitions that can lead to type confusions and potential exploits. The author provides a detailed walkthrough of constructing an exploit based on these vulnerabilities, emphasizing the complexities involved in ensuring consistency in object states across different layers of property access implementations. This technical examination aims to offer insights into the vulnerabilities of JIT optimizations, aiding researchers in preventing similar issues in the future.