CVE-2022-3887 - Understanding and Exploiting a Use-After-Free Bug in Chrome Web Workers

Google Chrome is the world’s most popular browser, so vulnerabilities can have a huge impact. In October 2022, a critical bug — CVE-2022-3887 — was reported in Chrome’s handling of Web Workers. In this deep-dive, we’ll explain what this bug is, how attackers could exploit it, and walk through demonstration code to illustrate the problem. We’ll also provide additional references if you want to get into the weeds. Let’s get started.

What is CVE-2022-3887?

CVE-2022-3887 is a vulnerability that was classified as “use after free”. It specifically impacts Chrome versions prior to 107..5304.106, in the Web Workers implementation.

A “use after free” means a piece of memory gets freed, but parts of the software continue to use it. If attackers can manipulate things right, they can force Chrome to access freed memory, leading to unpredictable behavior like heap corruption. With enough control, this can let attackers run code of their choice on your computer.

Original Reference

- Chromium Issue 1365746
- NIST NVD Entry

What are Web Workers?

Web Workers are a way for JavaScript to run scripts in background threads. This lets web pages do expensive work (like image processing or data crunching) without freezing the page.

// main.js
const worker = new Worker('worker.js');
worker.postMessage('Hello Worker');
worker.onmessage = function(event) {
  console.log('Received from worker:', event.data);
}

But Web Workers involve complex memory management, especially when being created and destroyed quickly — this complexity can lead to security bugs.

How Does the Bug Work?

The vulnerability exists in the way objects related to Web Workers are freed in Chrome’s code. Under certain circumstances, if a worker is rapidly created and terminated, cleanup code may unintentionally let parts of the browser reference memory that’s already been freed.

This can cause heap corruption. An attacker who carefully crafts their HTML and JavaScript can manipulate the browser’s memory layout, potentially gaining control of the freed memory and using it to run malicious code.

The relevant patch shows “the message port’s lifecycle was managed incorrectly and could be left referencing an already-freed object.”

Demonstration: Simulating the Use-After-Free

Here’s a toy JavaScript code snippet similar to what an attacker might use, simplified for illustration:

<!DOCTYPE html>
<html>
<body>
<script>
let workers = [];
for (let i = ; i < 100; i++) {
  let w = new Worker(URL.createObjectURL(new Blob([`
    onmessage = function(e) { postMessage('done'); }
  `])));
  workers.push(w);
  w.postMessage('test');
  // Terminate the worker quickly
  w.onmessage = function() { w.terminate(); };
}
</script>
</body>
</html>

If you opened this on an old, unpatched Chrome, this would create many workers and destroy them very rapidly, trying to “race” Chrome’s cleanup code into a bad state.

A real exploit would use heap spraying to fill the freed memory with attacker-controlled data, and then trigger a use of that memory. This is complex, but the principle is the same as the demo above.

Trigger Condition: Rapid creation and destruction of web workers.

- Goal: Force the browser to use memory after it’s freed, then refill that memory with attacker data.
- Result: Heap corruption, crash, or possibly arbitrary code execution if sufficient control is gained.

Crafting fake objects in memory.

Researchers occasionally release “proof of concept” exploits for similar issues. To see an example (not directly for CVE-2022-3887), check out this chromium bug report with a reproduction case.

How Was It Fixed?

Google engineers patched this vulnerability by improving the reference and lifetime management for Web Worker objects within Chrome. This removed the race condition and made sure freed memory is never accessed again.

The fix landed in Chrome 107..5304.106.

SECURITY REMINDER: Always keep your browser updated! Bugs like this are tricky and can be used in real attacks.

More Resources

- Chrome Release Notes – Oct 2022
- Official CVE Entry
- Chromium Security Severity Guidelines
- Web Workers MDN Reference

Conclusion

CVE-2022-3887 is a classic example of a use-after-free bug that, if unpatched, could give attackers serious power — potentially taking over your computer via a malicious webpage!

If you’re a developer, always be mindful of object lifetimes and references. For everyone else, let Chrome update automatically: it’s the best way to stay safe.

Timeline

Published on: 11/09/2022 04:15:00 UTC
Last modified on: 11/14/2022 15:15:00 UTC