The 2021 Pwnie Nominee For Best Client-Side Bug

MOZILLA (CVE-2021-29955), INTEL (CVE-2021-0086), AMD (CVE-2021-26314)

Researcher Names:

Hany Ragab, Enrico Barberis, Herbert Bos and Cristiano Giuffrida

Link: https://www.mozilla.org/en-US/security/advisories/mfsa2021-10/#CVE-2021-29955

Floating Point Value Injection (FPVI) allows an attacker to inject arbitrary values into a transient execution window created by a floating-point machine clear. The attacker triggers the execution of the exploit by performing a denormal floating-point operation in the victim application, with the x and y operands under the attacker’s control. The transient z result of the operation is processed by the subsequent instructions, leaving an observable microarchitectural trace.

The exploit against Mozilla Firefox relies on an attacker-controlled transiently-injected floating-point value which triggers type confusion on the transient execution path (between String and Double types), allowing the attacker to transiently leak arbitrary memory locations. FPVI, a single floating-point operation, can compromise the whole hardware-software stack from JavaScript running in Firefox, affecting millions of clients.