CVE-2024-4058

Access of Resource Using Incompatible Type ('Type Confusion') (CWE-843)

Published: Apr 24, 2024

010
CVSS 8.8EPSS 0.05%High
CVE info copied to clipboard

Summary

This vulnerability is a type confusion issue in the ANGLE component of Google Chrome. It was reported by security researchers Toan Pham and Bao Pham from Qrious Secure.

Impact

A type confusion vulnerability in a web browser like Chrome could potentially allow an attacker to execute arbitrary code on the victim's system if they can trick the victim into visiting a malicious website. This could lead to data theft, system compromise, or other malicious actions.

Exploitation

There is no evidence that a public proof-of-concept exists. Its exploitation has been reported by various sources, including securityweek.com.

Patch

Google has released a patched version of Chrome (124.0.6367.78) that addresses this vulnerability. Users should update to the latest version as soon as possible.

Mitigation

Until the patch can be applied, users should exercise caution when browsing untrusted websites and enable any available web browser security mitigations. Restricting system privileges for the web browser can also reduce the potential impact if exploitation occurs.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (379722)

Apr 24, 2024 at 7:53 AM
First Article

Feedly found the first article mentioning CVE-2024-4058. See article

Apr 24, 2024 at 11:06 AM / Google Chrome Releases
Vendor Advisory

Google released a security advisory.

Apr 24, 2024 at 12:05 PM
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Apr 24, 2024 at 12:52 PM
Exploitation in the Wild

Attacks in the wild have been reported by SecurityWeek. See article

Apr 24, 2024 at 12:53 PM / SecurityWeek
Trending

This CVE started to trend in security discussions

Apr 24, 2024 at 3:26 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (193762)

Apr 24, 2024 at 9:15 PM
Trending

This CVE stopped trending in security discussions

Apr 28, 2024 at 8:26 PM
CVE Assignment

NVD published the first details for CVE-2024-4058

May 1, 2024 at 1:15 PM
Static CVE Timeline Graph

Affected Systems

Fedoraproject/fedora
+null more

Patches

Google Chrome chrome-124.0.6367.78
+null more

Vendor Advisory

Stable Channel Update for Desktop
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. This update includes 4 security fixes.

References

Long Term Support Channel Update for ChromeOS
LTS-120 is being updated in the LTS channel to 120.0.6099.309 (Platform Version: 15662.105.0) for most ChromeOS devices. Want to know more about Long Term Support? Click here . Release notes for LTS-120 can be found here This update contains selective Security fixes, including: 332546345 Critical CVE-2024-4058 Type Confusion in ANGLE Giuliana Pritchard Google ChromeOS
Long Term Support Channel Update for ChromeOS
LTS-120 is being updated in the LTS channel to 120.0.6099.309 (Platform Version: 15662.105.0) for most ChromeOS devices. Want to know more about Long Term Support? Click here . Release notes for LTS-120 can be found here This update contains selective Security fixes, including: 332546345 Critical CVE-2024-4058 Type Confusion in ANGLE Giuliana Pritchard Google ChromeOS
chromium-124.0.6367.78-1.fc38
FEDORA-2024-2c9be9d949 Packages in this update: chromium-124.0.6367.78-1.fc38 Update description: update to 124.0.6367.78 * Critical CVE-2024-4058: Type Confusion in ANGLE * High CVE-2024-4059: Out of bounds read in V8 API * High CVE-2024-4060: Use after free in Dawn
See 1 more references

News

Security Affairs newsletter Round 498 by Pierluigi Paganini – INTERNATIONAL EDITION
SECURITY AFFAIRS MALWARE NEWSLETTE
Security Affairs newsletter Round 498 by Pierluigi Paganini – INTERNATIONAL EDITION
SECURITY AFFAIRS MALWARE NEWSLETTE
U.S. CISA adds Palo Alto Networks Expedition bugs to its Known Exploited Vulnerabilities catalog
Microsoft Patch Tuesday security updates for November 2024 fix two actively exploited zero-days. . Ahold Delhaize experienced a cyber incident ...
SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 19
SECURITY AFFAIRS MALWARE NEWSLETTE
SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 19
See 198 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI