CVE-2024-5830

Access of Resource Using Incompatible Type ('Type Confusion') (CWE-843)

Published: Jun 1, 2024

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

A type confusion vulnerability exists in the V8 JavaScript engine used in Google Chrome. This allows an attacker to potentially execute arbitrary code or cause a denial of service condition. The vulnerability is classified as high severity and involves type confusion in V8, as reported by Man Yue Mo of GitHub Security Lab on 2024-05-24.

Impact

This vulnerability could allow an attacker to execute malicious code and take control of an affected system, potentially leading to data theft, installation of malware, or other malicious activities. Denial of service attacks crashing or hanging the browser are also possible. The vulnerability has a CVSS v3.1 base score of 8.8, indicating high severity with high impacts on confidentiality, integrity, and availability. It requires user interaction and can be exploited over the network without requiring privileges.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

Patches are available and have been released by Google in Chrome version 126.0.6478.54 and by Microsoft. Google Chrome update version 126.0.6478.54 fixes this vulnerability.

Mitigation

Apply the latest stable Chrome browser update to version 126.0.6478.54 or later. For enterprise deployments of Chrome, apply the patch released by Microsoft.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

Vendor Advisory

Google released a security advisory.

Jun 11, 2024 at 9:05 PM
First Article

Feedly found the first article mentioning CVE-2024-5830. See article

Jun 11, 2024 at 9:06 PM / Google Chrome Security Bulletins
CVE Assignment

NVD published the first details for CVE-2024-5830

Jun 11, 2024 at 9:15 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (200329)

Jun 12, 2024 at 1:16 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (379941)

Jun 12, 2024 at 5:15 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 8.9%)

Jun 12, 2024 at 1:34 PM
CVSS

A CVSS base score of 8.8 has been assigned.

Jun 20, 2024 at 4:10 PM / nvd
CVSS

A CVSS base score of 8.8 has been assigned.

Jul 3, 2024 at 2:25 AM / nvd
Threat Intelligence Report

CVE-2024-5830 is a critical type confusion bug in v8, the Javascript engine of Chrome, allowing for remote code execution by visiting a malicious site. The bug was fixed in Chrome version 126.0.6478.56/57. There are proof-of-concept exploits available, and downstream impacts may affect other third-party vendors using the v8 engine. See article

Aug 13, 2024 at 3:05 PM
Static CVE Timeline Graph

Affected Systems

Google/chrome
+null more

Patches

Google Chrome chrome-126.0.6478.54
+null more

Vendor Advisory

Stable Channel Update for Desktop
Chrome 126.0.6478.56/57( Windows, Mac) has been pushed to extended stable channel as well We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

References

Stable Channel Update for Desktop
Chrome 126.0.6478.56/57( Windows, Mac) has been pushed to extended stable channel as well We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
Stable Channel Update for Desktop
Chrome 126.0.6478.56/57( Windows, Mac) has been pushed to extended stable channel as well We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
Last Week in Security - 2024-08-20
Six 0-Days Lead Microsoft’s August 2024 Patch Push - Microsoft released updates to fix 90 security vulnerabilities, including six zero-day flaws actively exploited by attackers. Google's Threat Analysis Group has disrupted APT42's activities, including resetting compromised accounts, sending warnings to targeted users, and blocking malicious domains and URLs. The group uses various tactics, such as hosting malware, phishing pages, and malicious redirects, to trick users into divulging their credentials and gaining access to their accounts.

News

IT Vulnerability Weekly Report: Cyble Urges Fixes for Fortinet, Palo Alto & More
CVE-2024-9464: A critical OS command injection vulnerability found in Palo Alto Networks’ Expedition tool, which allows an attacker to execute arbitrary OS commands as root, potentially leading to the disclosure of sensitive information. The vulnerability arises from improper verification of cryptographic signatures during the installation of VPN drivers, allowing attackers with local, unprivileged access to escalate their privileges and execute arbitrary code.
IT Vulnerability Weekly Report: Cyble Urges Fixes for Fortinet, Palo Alto & More
CVE-2024-9464: A critical OS command injection vulnerability found in Palo Alto Networks’ Expedition tool, which allows an attacker to execute arbitrary OS commands as root, potentially leading to the disclosure of sensitive information. The vulnerability arises from improper verification of cryptographic signatures during the installation of VPN drivers, allowing attackers with local, unprivileged access to escalate their privileges and execute arbitrary code.
Weekly IT Vulnerability Report: Cyble Urges Fixes for Ivanti, Microsoft Dark Web Exploits
Microsoft’s Patch Tuesday included five new zero-day vulnerabilities, two of which are being actively exploited – and Cyble researchers have observed threat actors discussing the other three zero-days on cybercrime forums. Additionally, Cyble researchers detected 14 vulnerabilities and exploits shared on cybercrime forums that security analysts should also prioritize – including the three Microsoft zero-days not yet under active exploitation.
Weekly IT Vulnerability Report: Cyble Urges Fixes for Ivanti, Microsoft Dark Web Exploits
Microsoft’s Patch Tuesday included five new zero-day vulnerabilities, two of which are being actively exploited – and Cyble researchers have observed threat actors discussing the other three zero-days on cybercrime forums. Additionally, Cyble researchers detected 14 vulnerabilities and exploits shared on cybercrime forums that security analysts should also prioritize – including the three Microsoft zero-days not yet under active exploitation.
Mindbreeze InSpire - Version 24.5
The user interface of the Management Center has been adapted in terms of consistency and usability to simplify the Administration of Insight Services for Retrieval Augmented Generation (RAG). The Mindbreeze InSpire 24.5 release extends the API for Insight Services for Retrieval Augmented Generation (RAG).
See 75 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI