CVE-2024-5274

Overview

A type confusion vulnerability in Google Chrome's V8 JavaScript engine allows remote attackers to execute arbitrary code within the Chrome sandbox by crafting a malicious HTML page. The vulnerability exists in versions prior to 125.0.6422.112. The vulnerability was disclosed on May 28, 2024. CISA has identified CVE-2024-5274 as being exploited but is not currently known to be used in ransomware campaigns.

Technical details

A type confusion vulnerability in Google V8 JavaScript engine (used in Chrome) allows attackers to craft a malicious HTML page that triggers improper type handling. When a victim visits the malicious webpage, the vulnerability can be exploited to execute arbitrary code within the Chrome sandbox environment.

The vulnerability is classified as CWE-843 (Access of Resource Using Incompatible Type ('Type Confusion')) .

The vulnerability has received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, indicating its high nature.

Impact

Successful exploitation allows remote attackers to execute arbitrary code within the Chrome sandbox. This could lead to data theft, credential harvesting, installation of malware, or lateral movement to compromise the underlying system. The sandbox provides some protection but does not completely prevent system compromise.

Mitigation and workarounds

Update Google Chrome to version 125.0.6422.112 or later. Users can check their version in Chrome by clicking the three-dot menu > Help > About Google Chrome, which will automatically check for updates. The following versions include the necessary fixes: 125.0.6422.112 and later.

As temporary workarounds: disable javascript in chrome settings as a temporary measure (not practical for most users); avoid visiting untrusted or suspicious websites until the patch is applied, and use alternative browsers temporarily until chrome is updated.

CISA's recommendation: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Additional resources

Source: This report was generated using AI

Vulnerability Management

Attack Surface Management

Cybersecurity Asset Management

AI Security Automation

Credentials Leaks Monitoring

Cloud Security

External Scanning

Internal Scanning

Attack Surface Monitoring

DAST

Website Security

Risk Based Prioritization

API Security

Emerging Threat Detection

CSPM

Compliance

Cyber Hygiene Reporting

Integrations

Compare Vullify

Qualys Alternative

Tenable Alternative

Rapid7 Alternative

Intruder Alternative

Detectify Alternative

Acunetix Alternative

Invicti Alternative

Pentest-Tools Alternative

Security

Blog

Cyber Glossary

Vulnerability Database

Customers

Help Center

Customer Stories

Developer Hub

About

Press

Partners

Careers

Contact

Book a Demo

Chromium V8 vulnerability analysis and mitigation — CRITICAL (CVSS 9.6)

Overview

Technical details

Impact

Mitigation and workarounds

Additional resources

Related Google Vulnerabilities

Platform

Solutions

Resources

Company