From object transition to RCE in the Chrome renderer

A detailed exploration of CVE-2024-5830, a type confusion vulnerability in the V8 JavaScript engine of Chrome, reveals a complex exploit that allows remote code execution by manipulating map transitions and deprecations in JavaScript objects. Initially reported in May 2024, this bug enables attackers to execute arbitrary code in Chrome by visiting a malicious site. The vulnerability arises when deprecated maps, which track the structure and properties of JavaScript objects, unexpectedly convert to dictionary maps during an object cloning operation, leading to an out-of-bounds (OOB) access. This OOB access is exploited to create fake objects in the V8 heap, facilitating arbitrary read and write operations. To bypass the V8 heap sandbox, which isolates the V8 heap from other process memory, the exploit targets API objects that act as wrappers for Blink objects outside the sandbox. By causing type confusions in these objects, the attacker achieves arbitrary memory access, ultimately leading to code execution in the Chrome renderer process. The exploit illustrates the intricate nature of map transitions and the challenges they pose to security in JavaScript engines.