From object transition to RCE in the Chrome renderer

The post discusses the exploitation of a bug reported in Chrome Javascript engine's in May 2024 - CVE-2024-5830, a type confusion bug in v8. This bug enables remote code execution (RCE) in the renderer sandbox of Chrome by simply visiting a malicious site. A map concept, crucial for property optimization, memory layout representation, and object elements detailing, is central to the bug's understanding. While discussing various map transition and deprecation intricacies, it explains how updating a deprecated map results in it becoming a dictionary map unexpectedly. The resulting dictionary map is then used, assuming the input is a fast map, enabling the overwriting of a dictionary map's internal property. Consequently, this triggers an OOB access to the dictionary and leads to arbitrary memory read and write outside the v8 heap sandbox and arbitrary code execution in the Chrome renderer process.