CVE-2024-9120

Use After Free (CWE-416)

Published: Sep 25, 2024 / Updated: 56d ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

A use-after-free vulnerability has been identified in Dawn, a component of Google Chrome on Windows. This flaw affects versions prior to 129.0.6668.70. The vulnerability allows a remote attacker to potentially exploit heap corruption through a specially crafted HTML page.

Impact

This vulnerability has a high severity rating with a CVSS v3.1 base score of 8.8. It can lead to high impacts on confidentiality, integrity, and availability. Successful exploitation could allow an attacker to execute arbitrary code within the context of the browser, potentially leading to unauthorized access to sensitive information, manipulation of data, or disruption of the system's normal operation. The attack vector is network-based, requiring user interaction (such as visiting a malicious webpage), but no privileges are required for the attack.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Google Chrome versions 129.0.6668.70 and later have addressed this vulnerability. It is crucial to update to this version or newer to mitigate the risk.

Mitigation

1. Immediately update Google Chrome to version 129.0.6668.70 or later on all Windows systems. 2. Implement browser isolation technologies to contain potential exploits. 3. Educate users about the risks of clicking on untrusted links or visiting suspicious websites. 4. Consider using ad-blockers and script-blockers to reduce exposure to potentially malicious content. 5. Regularly monitor for and apply security updates for Chrome and other browser components. 6. Implement network segmentation to limit the potential spread of an exploit if a system is compromised.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (380544)

Sep 24, 2024 at 7:53 AM
First Article

Feedly found the first article mentioning CVE-2024-9120. See article

Sep 24, 2024 at 6:18 PM / Not Simon 🐐
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 24, 2024 at 6:56 PM
CVE Assignment

NVD published the first details for CVE-2024-9120

Sep 25, 2024 at 1:15 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.6%)

Sep 25, 2024 at 9:39 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (207701)

Sep 25, 2024 at 3:15 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (207700)

Sep 25, 2024 at 3:15 PM
CVSS

A CVSS base score of 8.8 has been assigned.

Sep 25, 2024 at 5:40 PM / nvd
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (6015979)

Sep 26, 2024 at 7:53 AM
Static CVE Timeline Graph

Affected Systems

Google/chrome
+null more

Patches

Microsoft
+null more

News

Fedora 41 : chromium (2024-8008ddbd4e)
Nessus Plugin ID 211313 with High Severity Synopsis The remote Fedora host is missing one or more security updates. Description The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-8008ddbd4e advisory. Update to 129.0.6668.70 * High CVE-2024-9120: Use after free in Dawn * High CVE-2024-9121: Inappropriate implementation in V8 * High CVE-2024-9122: Type Confusion in V8 * High CVE-2024-9123: Integer overflow in Skia Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. Solution Update the affected chromium package. Read more at https://www.tenable.com/plugins/nessus/211313
Chromium: CVE-2024-9120 Use after free in Dawn
electron31 -- multiple vulnerabilities
Multiple vulnerabilities in Prisma Access Browser
A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
PAN-SA-2024-0011 Chromium: Monthly Vulnerability Updates (Severity: HIGH)
Product Confidentiality HIGH Product Integrity HIGH
See 64 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI