Preface: V8 is Google’s open-source, high-performance JavaScript and WebAssembly engine, written in C++, that powers Chrome and Node.js by translating JavaScript directly into native machine code. It implements all ECMA-262 ECMAScript standards, including data types, operators, objects, and functions, while optimizing execution via the V8 Ignition interpreter and V8 TurboFan compiler.
Background: In the V8 JavaScript engine, dictionary mode (also known as “slow mode”) is an internal representation for objects where properties are stored and accessed using a hash map-like structure. This mode is less optimized for property access compared to the “fast mode” (where objects are treated like fixed C-style structs) but offers better performance for objects that have their shape (set of properties) change frequently at runtime.
The Assumption: V8 believes the object is still in the “Fast Mode” layout (fixed offset) as seen in your code.
The Reality: Through a specific trick (like adding too many properties or a specific transition), the object has been forced into Dictionary Mode.
The Crash: If V8 fails to “de-optimize” and continues to use the fixed-offset logic on a Dictionary-layout object, it accesses the wrong memory address, leading to Out-of-Bounds (OOB) Access.
Vulnerability details: Inappropriate implementation in V8 in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
Official announcement: Please refer to the link for details –