Advertisement
CVE | Category | Price | Severity |
---|---|---|---|
CVE-2018-8139 | CWE-119 | $50,000 | High |
Author | Risk | Exploitation Type | Date |
---|---|---|---|
Google Project Zero | High | Remote | 2018-07-13 |
CVSS | EPSS | EPSSP |
---|---|---|
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 0.791932 | 0.83485 |
Microsoft Edge: Chakra: A bug in BoundFunction::NewInstance CVE-2018-8139 BoundFunction::NewInstance is used to handle calls to a bound function. The method first allocates a new argument array and copies the prepended arguments and others into the new argument array and calls the actual function. The problem is, it doesn't care about the CallFlags_NewTarget flag which indicates that there's an extra argument (new.target) at the end of the argument array. So the size of the new argument array created with the CallFlags_NewTarget flag will be always 1 less then required, this leads to an OOB read. PoC: function func() { new.target.x; } let bound = func.bind({}, 1); Reflect.construct(bound, []); This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: lokihardt
Copyright ©2024 Exploitalert.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.