The vulnerability stems from the handling of native arrays during sorting operations in JavascriptArray::EntrySort. The original code conditionally converted native arrays to Var arrays and back, creating a window for type confusion if the array's prototype was manipulated (as demonstrated in the PoC). The patch removed this logic entirely, replacing it with a direct call to EnsureNonNativeArray, which mitigates the risk by ensuring the array is non-native before sorting. The removal of the conversion code in EntrySort directly addresses the memory corruption vector, confirming its role in the vulnerability.