95.0.4638.69, and was disclosed in October 2021 in google’s chrome release blog, while the bug report was made public in February 2022.
The vulnerability will cause a special value in V8 called
TheHole being leaked to the script. This can lead to a renderer RCE in a Chromium-based browser and has been used in the wild.
In this post, I will discuss the root cause of the vulnerability and how I exploited the bug and achieved RCE on a vulnerable version of the Chromium browser.
The vulnerability happens when V8 tries to handle the exception in
JSON.stringify(). As mentioned in the bug report, when an exception is raised inside a built-in function, the corresponding Isolate’s
pending_exception member is set. After that, invoking code will jump into V8’s exception handling machinery where the
Note that when no exception is pending, the
pending_exception member is set to the special value
TheHole, meaning if it tries to fetch an exception from an empty
pending_exception, it will cause the
TheHole value to be leaked to the script, which is what happens in this vulnerability.
Read the Full Blogpost here
GIPHY App Key not set. Please check settings