Understanding the Vulnerability: A Memory Issue in Chrome
The identified vulnerability (CVE-2024-4671) is classified as high-severity and has a CVSS v3.1 score of 9.8. It pertains to a “use after free” weakness within the browser's Visuals component, which is responsible for rendering and displaying content.
"Use after free" vulnerabilities are security flaws that occur when a program continues to use a part of the computer’s memory after it's been freed (i.e. memory that is given back for other programs to use). This can cause all sorts of problems. If the memory is changed or given to another program, the previous program using it again alongside the new program can lead to data leaks, code execution, or system crashes. This is because the freed memory may contain altered data or be repurposed by other software components.
Exploited in the Wild
Google's advisory acknowledges that "an exploit for CVE-2024-4671 exists in the wild," but has so far not released any additional details. Our Security Research team will continue to monitor this vulnerability and we will provide any updates in the Knowledge Base.
Read the Google Chrome Advisory
What's at Stake if I'm a Chrome User?
Successful exploitation of this vulnerability could allow a cybercriminal to obtain complete control over the host. Depending on the privileges associated with the user logged in during the attack, the cybercriminal could install programs, view, change, or delete data, or even create new accounts with full user rights.
Remediation is as Easy as 1, 2, 3
Google has tackled this issue through the rollout of version 124.0.6367.201/.202 for Mac/Windows and 124.0.6367.201 for Linux. These updates are slated to be progressively distributed over the coming days/weeks. For users on the ‘Extended Stable’ channel, the fixes will be integrated into version 124.0.6367.201 for Mac and Windows, with distribution scheduled for a later stage.
Chrome typically updates automatically when security patches become available. However, Chrome users should verify that they're on the latest version by following the steps below.
In the Chrome browser, navigate to Settings > About Chrome.
If an update is available, launch the update.
Once the update is finished, click the Relaunch button to finalize the patch.
Users should also make sure that all future updates are set to occur automatically.
Find This Vulnerability with Holm Security VMP
The Holm Security Research Team has released a Network Vulnerability Test for Linux, MacOS, and Windows to detect this flaw.
- HID-2-1-5357523 - Google Chrome < 124.0.6367.201 Use After Free Vulnerability
Read More in the Knowledge Base
Remember: the key to effective cyber security is proactive and swift action in the face of emerging threats.
Nicola Albanese
Nicola Albanese is a Security Developer in our Security Research Team. He has written and translated news, reviews, and documentation about electronics, networks, and security devices for nearly 15 years. He also worked as a 2nd-level technician for AT&T backbone EMEA networks before answering the call from information and data security in 2018.