CVE CyberSecurity Database News

CVE-2024-4761 - Out-of-Bounds Write in Chrome’s V8 – What Happened, How It Works, & Exploit Details

Poster -

---

Google Chrome is the world’s most popular web browser, but even it isn’t immune to dangerous bugs. CVE-2024-4761 is one of those: a high-severity flaw that lets a remote attacker write outside allocated memory in V8, Chrome’s JavaScript engine, just by luring someone to a malicious web page. If you use Chrome or build with V8, you’ll want to understand how this bug works and why it got patched fast.

Let’s get into what the bug is, where it lives, how it can be abused, and what you should do.

What is CVE-2024-4761?

CVE-2024-4761 is an “out-of-bounds write” vulnerability in V8, which is Chrome’s JavaScript engine, used for executing scripts in web pages. Before version 124..6367.207, this flaw let attackers write data outside assigned memory, just by tricking Chrome into running malicious JavaScript from an HTML page.

Official advisory

- Chromium Issue 335278787
- Chrome Releases Blog: Stable Channel Update for Desktop (2024-05-21)

The malicious site serves *crafted JavaScript* that triggers the bug.

3. Due to a bug in V8’s memory management, the malicious code writes data outside a buffer’s boundaries.

An attacker might use this bug to corrupt memory, crash the browser, or even execute arbitrary code.

5. With such code execution, the attacker could install malware, steal data, or break out of Chrome’s sandbox (if chained with more bugs).

The core issue is that the JavaScript engine trusts certain buffer sizes given by scripts, and broken logic lets scripts write past those, into potentially sensitive or executable memory.

Demonstrating the Bug: Code Snippet

Below is a simplified code snippet showing how a malicious script could abuse this kind of out-of-bounds write vulnerability. (Note: The bug was patched and the below is illustrative; the real exploit is much more complex and version-specific.)

// This is a *demonstrative* example, not a working exploit.
// It mimics how OOB array accesses can lead to memory corruption.

let arr = [1.1, 2.2, 3.3];
let oobArray = arr;
let victimObj = {fake: 1};

// Hypothetical trigger to corrupt array length
function trigger() {
    // Exploit a flaw in how V8 handles array resizing or type confusion
    // For example, using a JIT miscompilation (pseudo-code):
    for (let i = ; i < 10000; i++) {
        // Force JIT compilation with predictable types
        oobArray[] = 1.1;
    }

    // Now, due to the bug, oobArray's length or backing store overflows.
    // Out of bounds write:
    oobArray[10] = 42; // This writes outside the array's allocated buffer!

    // In a full exploit, attacker crafts 'victimObj' so the overflow lands on it,
    // changing JS object properties, function pointers, etc.
}
trigger();

console.log("If this ran on a vulnerable Chrome, it could corrupt memory.");

*In real-life exploits, attackers would find a way to turn this kind of memory corruption into code execution – for example, by overwriting a function pointer or object property.*

Exploit Details

- How is it exploited? An attacker sends you a crafted web page. When you visit, malicious JavaScript executes, triggering the out-of-bounds write. This could corrupt memory and allow code to run unchecked.
- Is it reliable? Out-of-bounds write vulnerabilities are a favorite among attackers because they can lead to code execution with the right set of circumstances. In practice, exploit reliability depends on system memory layout and protections.
- How severe is it? *High*. Chrome’s sandbox and other protections help, but if this bug is chained with others (like a sandbox escape), attack consequences are severe.

Actor crafts a payload to run JavaScript which overwrites memory belonging to a JS object.

3. By manipulating the object’s “map” or function pointer, attacker gets V8 to jump to their shellcode.
4. If paired with a sandbox escape, attacker can break out and gain access to the operating system – for example, to download and run malware.

How Was It Patched?

V8’s maintainers updated array bounds and internal buffer management, fixing the code logic that allowed scripts to write past boundaries. The patch is available in Chrome 124..6367.207 and later.

References

- Chromium Security Issue 335278787
- Chrome Releases Blog: Stable Channel Update for Desktop (2024-05-21)
- V8 JavaScript Engine Source
- Common Vulnerabilities and Exposures (CVE): CVE-2024-4761

Takeaway

CVE-2024-4761 is a reminder that even well-tested code like Chrome’s JavaScript engine can have dangerous bugs. Out-of-bounds writes are a top target for attackers, and this one was serious enough for immediate patching. Always keep your browser and software up-to-date.

Timeline

Published on: 05/14/2024 16:17:35 UTC
Last modified on: 05/20/2024 14:08:51 UTC