Techly NewsGet the app

Get the latest tech news

From object transition to RCE in the Chrome renderer


In this post, I'll exploit CVE-2024-5830, a type confusion in Chrome that allows remote code execution (RCE) in the renderer sandbox of Chrome by a single visit to a malicious site.

While this may look like a promising OOB write primitive, the problem is that zero length descriptor arrays in v8 point to the empty_descriptor_array that is stored in a read-only region: By arranging the heap, I can place arbitrary values in the red box, and in particular, I can make it point to a fake object that I created. Once an OOB access to the fake double array is achieved, gaining arbitrary read and write in the v8 heap is rather straightforward.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of Chrome

Chrome

Photo of RCE

RCE

Photo of Chrome renderer

Chrome renderer

Related news:

News photo

Google is killing one of Chrome's biggest ad blockers

News photo

Do you use uBlock Origin on Chrome? You'll soon have to use another ad blocker

News photo

Cisco warns of critical RCE zero-days in end of life IP phones

« AI PCs Made Up 14% of Quarterly PC Shipments
Framework nips and tucks its 13-inch laptop »