tags:v8type_confusionchrome original link: Attack of the clones: Getting RCE in Chrome’s renderer with duplicate object properties newsletter link: exploits.club Weekly Newsletter 27
Exploits Club Summary:
Our lord and savior @mmolgtm has returned, this time to walk through CVE-2024-3833, an object corruption bug in v8. The post starts with detailing a bug from 2021 reported by Project Zero before diving into two bugs related to Javascript Promise integration, a feature currently in an origin trial. Both bugs allow for certain objects to have duplicate properties. The post then dives into the novel exploit technique he used to go after the bugs. We won’t try to summarize it here - we wouldn’t be able to even if we wanted to. You should go read the post.