CVE-2024-9121

Out-of-bounds Write (CWE-787)

Published: Sep 25, 2024 / Updated: 56d ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

An inappropriate implementation in V8 in Google Chrome prior to version 129.0.6668.70 allows a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. This vulnerability is classified as High severity according to Chromium's security assessment.

Impact

This vulnerability could allow an attacker to perform out-of-bounds memory access, which is associated with CWE-787 (Out-of-bounds Write). The potential impacts are severe, with high risks to confidentiality, integrity, and availability. Successful exploitation could lead to arbitrary code execution, data corruption, or system crashes. The CVSS v3.1 base score is 8.8 (High), indicating significant potential for harm.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been addressed in Google Chrome version 129.0.6668.70 and later. Users and administrators should update to this version or newer to mitigate the risk.

Mitigation

1. Update Google Chrome to version 129.0.6668.70 or later immediately. 2. If immediate patching is not possible, consider implementing network-level protections to filter potentially malicious HTML content. 3. Educate users about the risks of visiting untrusted websites or opening suspicious HTML files. 4. Monitor for any unusual activity or crashes in Chrome that might indicate exploitation attempts. 5. Consider using browser isolation technologies for high-risk users or environments.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (380544)

Sep 24, 2024 at 7:53 AM
First Article

Feedly found the first article mentioning CVE-2024-9121. See article

Sep 24, 2024 at 6:18 PM / Not Simon 🐐
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 24, 2024 at 6:56 PM
CVE Assignment

NVD published the first details for CVE-2024-9121

Sep 25, 2024 at 1:15 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.6%)

Sep 25, 2024 at 9:39 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (207701)

Sep 25, 2024 at 3:15 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (207700)

Sep 25, 2024 at 3:15 PM
CVSS

A CVSS base score of 8.8 has been assigned.

Sep 25, 2024 at 5:40 PM / nvd
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (6015979)

Sep 26, 2024 at 7:53 AM
Static CVE Timeline Graph

Affected Systems

Google/chrome
+null more

Patches

Microsoft
+null more

News

Fedora 41 : chromium (2024-8008ddbd4e)
Nessus Plugin ID 211313 with High Severity Synopsis The remote Fedora host is missing one or more security updates. Description The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-8008ddbd4e advisory. Update to 129.0.6668.70 * High CVE-2024-9120: Use after free in Dawn * High CVE-2024-9121: Inappropriate implementation in V8 * High CVE-2024-9122: Type Confusion in V8 * High CVE-2024-9123: Integer overflow in Skia Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. Solution Update the affected chromium package. Read more at https://www.tenable.com/plugins/nessus/211313
Chromium: CVE-2024-9121 Inappropriate implementation in V8
Python and NodeJS updates for SUSE
These are all security issues fixed in the python39-3.9.20-4.1 package on the GA media of openSUSE Tumbleweed. These are all security issues fixed in the nodejs-electron-31.7.2-1.1 package on the GA media of openSUSE Tumbleweed.
electron31 -- multiple vulnerabilities
Multiple vulnerabilities in Prisma Access Browser
A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
See 66 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI