CVE-2015-1230

Vulnerability

CVE-2015-1230 is a type confusion vulnerability in the getHiddenProperty function located in bindings/core/v8/V8EventListenerList.h within the Blink rendering engine, used in Google Chrome before version 41.0.2276.76. The bug arises from a name conflict with the AudioContext class, allowing remote attackers to trigger type confusion via crafted JavaScript code that adds an AudioContext event listener. Affected versions include Google Chrome prior to 41.0.2276.76 and related distributions such as Red Hat Enterprise Linux, Ubuntu (via Oxide), and Gentoo [1][2][3][4].

Exploitation

Exploitation requires no authentication and can be performed remotely by an attacker who convinces a user to visit a specially crafted website. The attacker delivers JavaScript that adds an AudioContext event listener, causing the getHiddenProperty function to misinterpret the type of an object, leading to type confusion. The user interaction required is limited to opening the malicious webpage [1][2][3].

Impact

Successful exploitation can lead to a denial of service via a renderer crash or, potentially, arbitrary code execution within the sandboxed render process. However, the official description and references indicate the impact is primarily denial of service, with unspecified other impacts possible; the advisory links note that in a web browser context, arbitrary code execution could be achieved but is constrained by sandboxing [2][3].

Mitigation

The vulnerability is fixed in Chrome version 41.0.2276.76. Users should update their browsers to this version or later. For Red Hat Enterprise Linux, the fix was included in the chromium-browser package updates via RHSA-2015:0627 [1]. Ubuntu users received the fix through USN-2521-1 for the Oxide webview component [2]. Gentoo users should upgrade to >=www-client/chromium-41.0.2276.76 [3]. There is no known workaround for unpatched versions.