The issue concerns an after-free use case in the instruction optimization component, the successful exploitation of which could “allow an attacker to execute arbitrary code in the context of the browser.”
The defect, which was identified in the Dev channel version of Chrome 101, was reported to Google by Weibo Wang, a security researcher at the Singapore Cybersecurity Society Numen Cybertechnology and has since been quietly repaired by the company.
“This vulnerability occurs in the instruction select step, where the wrong instruction was selected and results in a memory access exception,” Wang said.
Use defects after release occur when accessing previously freed memory, inducing undefined behavior and causing a program to crash, the use of corrupted data, or even the execution of arbitrary code.
What is more worrying is that the flaw can be exploited remotely via a specially crafted website to bypass security restrictions and execute arbitrary code to compromise targeted systems.
“This vulnerability can be further exploited using heap spraying techniques and then leads to a ‘type confusion’ vulnerability,” Wang explained. “The vulnerability allows an attacker to control function pointers or write code to arbitrary memory locations, and ultimately lead to code execution.”
The company has not yet disclosed the vulnerability via the chrome bug tracker portal to allow as many users as possible to install the patched version first. Additionally, Google does not assign CVE IDs to vulnerabilities found in unstable Chrome channels.
Chrome users, especially developers who use the Dev edition of Chrome for testing to ensure their apps are compatible with the latest Chrome features and API changes, should update to the latest version software available.
|TurboFan Assembly Instructions After Fixing Vulnerability|
This isn’t the first time that use-after-release vulnerabilities have been discovered in V8. In 2021, Google fixed seven such bugs in Chrome that were exploited in real-world attacks. This year it also fixed an actively exploited use-after-release vulnerability in the Animation component.