Garbage Collection in V8
Richard Abou Chaaya, John Stephenson
OffensiveCon 2025 · Day 1 · Main
Researchers Richard Abou Chaaya and John Stephenson from Tencent demonstrate how a previously reported V8 bug — dismissed as non-exploitable — becomes a critical use-after-free under V8's new Minor Mark Sweep (MinorMS) garbage collector. Paired with a GC-triggered V8 heap sandbox escape, the two bugs form a complete remote code execution exploit chain against Chrome. The talk is grounded in a rigorous explanation of garbage collection theory, showing that the switch from the Scavenger GC to MinorMS changed fundamental invariants that previous exploitability assessments relied upon. ---
AI review
Chaaya and Stephenson took a V8 bug previously dismissed as non-exploitable, showed that the switch from Scavenger GC to Minor Mark Sweep changed the object lifecycle in exactly the way needed to make the UAF reliable, then chained it with a GC-triggered V8 heap sandbox escape to achieve full Chrome RCE. The methodology — monitor GC algorithm changes to re-audit dismissed bugs — is a new research primitive. Accept immediately.