Remote Code Execution in Chrome's V8 Prior to 125.0.6422.112

CVE-2024-5274

9.6CRITICAL

Key Information

Vendor
Google
Status
Chrome
Vendor
CVE Published:
28 May 2024

Badges

🔥 No. 1 Trending😄 Trended👾 Exploit Exists📰 News Worthy

What is CVE-2024-5274?

CVE-2024-5274 is a critical vulnerability found in the V8 JavaScript engine used by Google Chrome prior to version 125.0.6422.112. This vulnerability stems from a type confusion issue that allows remote attackers to execute arbitrary code within a sandboxed environment by crafting a malicious HTML page. Given the widespread use of Google Chrome across many organizations, this vulnerability poses a serious risk to user security and data integrity, as it can result in unauthorized access and manipulation of systems and data.

Technical Details

The vulnerability involves a type confusion error in the V8 engine, which is responsible for executing JavaScript code in Google Chrome. This specific flaw allows an attacker to craft an HTML page that, when visited by a user, can trigger the execution of arbitrary code inside the browser's sandbox. The severity of this vulnerability has been categorized as high, and it requires immediate attention due to its potential for exploitation in various malicious scenarios.

Impact of the Vulnerability

  1. Remote Code Execution: Attackers can execute arbitrary code within the browser, leading to potential control over the affected system and user data.

  2. Data Breach Risk: Successful exploitation can allow attackers to access sensitive information held in the browser, including personal, corporate, or financial data, increasing the risk of data breaches.

  3. Compromise of System Integrity: The vulnerability can serve as a gateway for further attacks, enabling threat actors to deploy malware or gain persistent access to the affected system, thus compromising overall system integrity.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2024-5274 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

Chrome < 125.0.6422.112

News Articles

favicon imageThe Hacker News

Russian Hackers Exploit Safari and Chrome Flaws in High-Profile Cyberattack

Russian hackers exploit patched Safari and Chrome flaws in attacks on Mongolian government websites, targeting mobile users.

4 months ago

favicon imageSC Media

Google patches fourth zero-day in May, eighth so far of 2024

Security pros say because this bug was exploited in the wild, assume threat actors have launched remote code execution attacks.

7 months ago

favicon imageSpiceworks

Google Releases Emergency Update for Latest Chrome Zero-Day - Spiceworks

Google fixes another critical security flaw in Chrome. Learn more about the fourth zero-day exploit patched this month and why updating your browser is essential.

7 months ago

Refferences

https://chromereleases.googleblog.com/2024/05/stable-chan...
https://issues.chromium.org/issues/341663589

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • 🔥

    Vulnerability reached the number 1 worldwide trending spot

  • Vulnerability started trending

  • CISA Reported

  • Vulnerability published

  • 👾

    Exploit known to exist

  • First article discovered by SecurityWeek

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre DatabaseCISA DatabaseGoogle Feed10 News Article(s)
.