Security quote of the week

In this post, I want to showcase CVE-2021-21225, a vulnerability in V8's Array.prototype.concat implementation that I discovered in April 2021. It was used to gain code execution in Google Chrome's renderer process and won a $22000 bounty from Google which was donated to the EFF (matched by Google). The bug itself has quite an interesting history and marks all the checkboxes of a powerful V8 engine vulnerability that comes with V8 builtin bugs: works in pdfium, web workers, and JIT-less codebases.

For curiosity's sake, I checked the Chrome Renderer Remote Code Execution (RCE) rates in the Offensive Security markets and was offered $500k for this exploit paid out over 12 months with 10% paid upfront - quarterly payouts contingent on the vulnerability not being patched.