CVE-2024-5837

Access of Resource Using Incompatible Type ('Type Confusion') (CWE-843)

Published: Jun 1, 2024

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

A type confusion vulnerability in the V8 JavaScript engine used by Google Chrome. This vulnerability allows an attacker to potentially execute arbitrary code or cause a denial of service condition on affected systems. The vulnerability has been classified as High severity and requires user interaction to be exploited. It affects the integrity, availability, and confidentiality of the system, with all three having a HIGH impact rating. The vulnerability is associated with CWE-843: Access of Resource Using Incompatible Type ('Type Confusion').

Impact

If successfully exploited, this vulnerability could allow an attacker to execute malicious code on the victim's system with the same privileges as the user running the browser. The potential impacts include: 1. Viewing, changing, or deleting data 2. Installing malicious programs 3. Creating new accounts with full user rights 4. In systems with elevated privileges, full system compromise is possible The vulnerability has a CVSS v3.1 base score of 8.8, indicating a high severity level. The attack vector is through the network, with low attack complexity and no privileges required, but user interaction is necessary for exploitation.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

Google has released Chrome version 126.0.6478.54 to address this issue. Microsoft has also released an update for this vulnerability. The patch was made available on 2024-06-01, and Microsoft's patch followed on 2024-06-13. Users and administrators should apply the latest patches from their respective vendors immediately to mitigate the risk.

Mitigation

Until systems can be patched, the following mitigation strategies are recommended: 1. Avoid visiting untrusted websites or following links from untrusted sources in Chrome. 2. Consider using a different browser temporarily. 3. Enable strict site isolation in Chrome settings as a partial mitigation. It's crucial to apply the patches as soon as possible, as these mitigations are only temporary measures.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

Vendor Advisory

Google released a security advisory.

Jun 11, 2024 at 9:05 PM
First Article

Feedly found the first article mentioning CVE-2024-5837. See article

Jun 11, 2024 at 9:06 PM / Google Chrome Security Bulletins
CVE Assignment

NVD published the first details for CVE-2024-5837

Jun 11, 2024 at 9:15 PM
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jun 11, 2024 at 9:20 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (200329)

Jun 12, 2024 at 1:16 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (379941)

Jun 12, 2024 at 5:15 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 8.9%)

Jun 12, 2024 at 1:34 PM
CVSS

A CVSS base score of 8.8 has been assigned.

Jun 20, 2024 at 3:05 PM / nvd
CVSS

A CVSS base score of 8.8 has been assigned.

Jul 3, 2024 at 2:25 AM / nvd
Static CVE Timeline Graph

Affected Systems

Google/chrome
+null more

Patches

Google Chrome chrome-126.0.6478.54
+null more

Vendor Advisory

Stable Channel Update for Desktop
Chrome 126.0.6478.56/57( Windows, Mac) has been pushed to extended stable channel as well We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

References

Stable Channel Update for Desktop
Chrome 126.0.6478.56/57( Windows, Mac) has been pushed to extended stable channel as well We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
Stable Channel Update for Desktop
Chrome 126.0.6478.56/57( Windows, Mac) has been pushed to extended stable channel as well We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

News

Mindbreeze InSpire - Version 24.5
The user interface of the Management Center has been adapted in terms of consistency and usability to simplify the Administration of Insight Services for Retrieval Augmented Generation (RAG). The Mindbreeze InSpire 24.5 release extends the API for Insight Services for Retrieval Augmented Generation (RAG).
stack.watch - Google Chrome - Security Vulnerabilities in 2024
Use after free in Tabs in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. Use after free in CSS in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page.
Chromium Browser をベースにパフォーマンス向上を目指す Thorium Browser
起動すると見た目は Chromium です.普通に使え,Chrome の拡張機能も利用できます.Google アカウントの同期も可能です. ということで使い勝手は Chromium と変わらず.
openSUSE 15 Security Update : opera (openSUSE-SU-2024:0223-1)
* DNA-116893 Put 'Show emojis in tab tooltip' in Settings * DNA-116918 Translations for 'Show emojis in tab tooltip'
opensuse openSUSE-SU-2024:0223-1: openSUSE 15 : Security update for opera (Important) (openSUSE-SU-2024:0223-1)
Development Last Updated: 7/27/2024 CVEs: CVE-2024-5834 , CVE-2024-5497 , CVE-2024-5840 , CVE-2024-5838 , CVE-2024-5843 , CVE-2024-5841 , CVE-2024-5836 , CVE-2024-5835 , CVE-2024-5845 , CVE-2024-5833 , CVE-2024-5499 , CVE-2024-5842 , CVE-2024-5830 , CVE-2024-5847 , CVE-2024-5498 , CVE-2024-5839 , CVE-2024-5832 , CVE-2024-5831 , CVE-2024-5495 , CVE-2024-6290 , CVE-2024-5494 , CVE-2024-5844 , CVE-2024-6291 , CVE-2024-5496 , CVE-2024-5493 , CVE-2024-5837 , CVE-2024-6292 , CVE-2024-6293 , CVE-2024-5846
See 53 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI