Chrome in-the-wild bug analysis: CVE-2021-37975

On September 30, 2021, Google released an update for Chrome addressing several security vulnerabilities, including CVE-2021-37975, a logic bug in the garbage collector (GC) of Chrome's JavaScript engine, v8. This bug, reported by an anonymous researcher, led to a use-after-free (UAF) vulnerability by allowing reachable JavaScript objects to be improperly collected and exposed to potential exploitation. The analysis explores the intricacies of the v8 garbage collector, particularly focusing on how weak references and ephemerons complicate the marking process during garbage collection, potentially leading to such vulnerabilities. The exploit, albeit sophisticated, demonstrates the ability to manipulate the garbage collector’s behavior to create a UAF, which can then be leveraged to gain arbitrary code execution by exploiting the predictable nature of memory maps and leveraging features like WebAssembly. The author highlights the challenges and intricacies involved in such exploit development, emphasizing the importance of understanding garbage collector mechanisms to uncover and mitigate similar vulnerabilities in the future.