On August 21, Google released an update for Chrome, fixing a total of 37 security flaws. Researchers across the globe paid their attention to the CVE-2024–7965 vulnerability described as an inappropriate implementation in the browser’s V8 engine. The vulnerability can lead to remote code execution (RCE) in the Chrome renderer and thus become a starting point for further exploitation. The researchers’ curiosity got piqued when on August 26 Google mentioned that exploits for CVE-2024–7965 exist “in the wild.”
Unlike in our previous research, this time we did not have to compare executable files as all the V8 source code is publicly available. Still, at least some analysis was necessary to find the required commit. Our search revealed the following:
Here we immediately pay attention to an important detail: the patch is included into TurboFan, an optimizing JS code compiler for V8. TurboFan uses a sea-of-nodes representation: the compiler first builds a graph, performs optimizations on it, and then selects instructions for a particular architecture and generates machine code.