Russian cybersecurity researchers from Bi.Zone have detailed a critical vulnerability in Google Chrome, CVE-2024-7965, which allows remote code execution (RCE) in the browser's V8 engine. Discovered in July 2024 and patched in an August update, the vulnerability affects Chrome's JavaScript optimizer, TurboFan, and has reportedly been exploited in the wild.
Chrome flaw details
CVE-2024-7965 is linked to the improper handling of phi-nodes in TurboFan, leading to potential memory corruption during code execution. The issue arises from TurboFan's incorrect assumptions about the upper 32 bits of certain node states when compiling for ARM64 architectures. When exploited, it can allow attackers to execute arbitrary code by bypassing array index checks. Although the vulnerability primarily impacts Android devices and Apple laptops running ARM64 chips, the researchers emphasized its broad implications.
Bi.Zone’s researchers demonstrated how the exploit manipulates TurboFan’s node traversal logic. The crux of the issue involves a function called ZeroExtendsWord32ToWord64, which fails to properly validate node states in specific cyclic graphs. By tricking TurboFan into accepting false states during the optimization process, attackers can cause out-of-bounds memory access. Pazdnikov's proof-of-concept (PoC) showcases how the exploit leads to memory corruption and segmentation faults in the V8 engine, though the issue is less severe on x86-64 architectures.
This vulnerability is particularly dangerous because of its potential to compromise Chrome’s security sandbox. If combined with additional exploits, it could give attackers full control over a victim's browser, enabling the theft of user data such as passwords and session cookies. Additionally, if the exploit is combined with cross-site scripting (XSS) attacks, it could allow malicious actors to hijack session tokens and other sensitive information from websites the user visits.
Bi.Zone's research also emphasized that the vulnerability impacts ARM64 devices, including Android smartphones and Apple laptops released after November 2020. While Google patched the vulnerability on August 21, 2024, users running versions of Chrome below 128.0.6613.84 remain at risk. Google also confirmed on August 26 that the vulnerability had been exploited in the wild, heightening its severity.
Defense measures
Chrome users on the impacted platforms should ensure their Chrome version is updated to 128.0.6613.84 or later to mitigate the risk. Additionally, users are recommended to enable Chrome’s Site Isolation feature, which restricts processes to individual tabs, limiting the potential damage from XSS and memory corruption attacks.
Leave a Reply