Deconstructing and Exploiting CVE-2020-6418
As part of my internship at STAR Labs, I conducted n-day analysis of CVE-2020-6418. This vulnerability lies in the V8 engine of Google Chrome, namely its optimizing compiler Turbofan. Specifically, the vulnerable version is in Google Chrome’s V8 prior to 80.0.3987.122. In this article, I will give a step-by-step analysis of the vulnerability, from the root cause to exploitation. Background In JavaScript, objects do not have a fixed type. Instead, V8 assigns each object a Map that reflects its type....