Getting RCE in Chrome with incorrect side effect in the JIT compiler

The post details the exploitation of CVE-2023-3420, a type confusion vulnerability in Chrome's V8 JavaScript engine, disclosed in June 2023. This vulnerability allows remote code execution (RCE) within Chrome's renderer sandbox when a user visits a malicious website. The exploit involves using speculative optimization in the TurboFan JIT compiler, which optimizes JavaScript functions based on input type assumptions. When these assumptions become invalid, it can lead to incorrect memory access and potential security breaches. The exploitation process involves creating a situation where optimized code accesses fields with incorrect offsets, leading to out-of-bounds (OOB) access. The post describes the method for achieving type confusion by manipulating JavaScript objects and outlines steps to gain code execution through JIT spraying techniques, bypassing V8's heap sandbox. The complexity of the JIT engine and speculative optimization has led to numerous security issues, highlighting the challenges in securing such advanced systems against sophisticated attacks.