CVE CyberSecurity Database News

CVE-2024-9122 - Breaking Down the V8 Type Confusion in Chrome (With Exploit Insights)

Poster -

On May 2024, the Chromium project published a high-severity vulnerability: CVE-2024-9122. This bug, affecting Google Chrome’s V8 JavaScript engine (the “brain” behind JavaScript running in your browser), opened the door for remote attackers to break out of the browser sandbox and even run arbitrary code. Here’s a deep dive into what happened, how the attack works, and what you can learn from it.

What is CVE-2024-9122?

CVE-2024-9122 is a type confusion vulnerability found in V8 (Chrome’s JavaScript engine) before version 129..6668.70. This means V8 could be tricked into treating data of one type as if it were another, leading to reading or writing memory outside intended boundaries (out-of-bounds access).

Attack Vector: Anyone could trigger this by luring a user to a malicious website.

- Impact: Out-of-bounds memory access, paving the way for code execution on the victim’s machine.

The Root Cause

In V8 engines, objects have “hidden types.” The engine tries to optimize code based on these types for speed. However, under certain jit-optimized scenarios—such as array manipulations—it’s possible for an attacker to trick the engine into misclassifying an object.

Imagine you have an array that the engine thinks contains only floats. If you manage to sneak an object inside, then manipulate that data as if it’s a float, crazy things can happen: You start accessing memory chunks you shouldn’t.

A Minimal Exploit Example

Let’s look at how an attacker might exploit this. Below is a simplified proof-of-concept (PoC) to explain the bug (note: this is for education only):

// Only works in vulnerable versions of Chrome (prior to 129..6668.70)

let arr = [1.1, 2.2, 3.3];
let obj = {a:1};
function confuse(o, idx, value) {
  o[idx] = value; // At JIT, engine optimizes access pattern
  return o;
}

for (let i = ; i < 10000; i++) {
  confuse(arr, , 1.1); // Train the JIT engine
}

// Now we pass an object instead of a float
confuse(arr, , obj);

// Trying out-of-bounds access
console.log(arr[]); // Oops! The data is now an object, but engine thinks it's still a float

// The next steps would turn this bug into memory read/write primitives.

The actual exploit is much more complicated, but this snippet shows the core trick: putting an unexpected object type into an array the engine thinks is only floats. Once successful, bad actors can leak memory addresses (info leak), and ultimately manipulate the browser’s memory to run shellcode.

Patches and Remediation

Google fixed this quickly in Chrome 129..6668.70. If you’re on an older version, update now.

- Official Chromium issue: https://crbug.com/41435145
- Release note: Chrome Stable Release
- National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2024-9122

Lessons Learned

- JIT engines are great, but dangerous. Every performance optimization can expand your attack surface.
- Automatic updates are lifesavers. Chrome’s auto-update feature protects most users by default. Don’t disable it!
- User caution still matters. Avoid clicking unknown links or downloading files from unfamiliar sources.

Conclusion

CVE-2024-9122 is a classic example of the threats hiding in modern browser engines. Exploitable type confusions like this remind us to keep everything up-to-date and be aware of what we browse—even as browser vendors race to keep us safe.

If you’re curious about exploit development, responsibly study public proofs-of-concept—and always report new bugs to the vendor.

References

- Chromium Security Tracker: Issue 41435145
- NVD Detail for CVE-2024-9122
- Chrome Stable Channel Update

Timeline

Published on: 09/25/2024 01:15:48 UTC
Last modified on: 09/26/2024 13:32:02 UTC