CVE-2024-9122

Access of Resource Using Incompatible Type ('Type Confusion') (CWE-843)

Published: Sep 25, 2024 / Updated: 56d ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

Type Confusion vulnerability in V8 in Google Chrome prior to version 129.0.6668.70 allows a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability has been classified with a High security severity by Chromium.

Impact

This vulnerability can lead to out of bounds memory access, which could potentially result in the disclosure of sensitive information, corruption of data, or execution of arbitrary code. The CVSS v3.1 base score is 8.8 (High), with high impacts on confidentiality, integrity, and availability. The attack vector is network-based, requires low attack complexity, and no privileges, but does require user interaction.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been addressed in Google Chrome version 129.0.6668.70 and later.

Mitigation

1. Update Google Chrome to version 129.0.6668.70 or later immediately. 2. If immediate updating is not possible, consider implementing network segmentation and restricting access to untrusted websites. 3. Educate users about the risks of visiting untrusted websites or clicking on suspicious links. 4. Monitor for any unusual activity or unauthorized access attempts in systems where Chrome is used. 5. Consider using browser isolation technologies for high-risk users or environments.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (380544)

Sep 24, 2024 at 7:53 AM
First Article

Feedly found the first article mentioning CVE-2024-9122. See article

Sep 24, 2024 at 6:18 PM / Not Simon 🐐
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 24, 2024 at 6:56 PM
CVE Assignment

NVD published the first details for CVE-2024-9122

Sep 25, 2024 at 1:15 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.6%)

Sep 25, 2024 at 9:39 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (207701)

Sep 25, 2024 at 3:15 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (207700)

Sep 25, 2024 at 3:15 PM
CVSS

A CVSS base score of 8.8 has been assigned.

Sep 25, 2024 at 5:40 PM / nvd
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (6015979)

Sep 26, 2024 at 7:53 AM
Static CVE Timeline Graph

Affected Systems

Google/chrome
+null more

Patches

Microsoft
+null more

News

Fedora 41 : chromium (2024-8008ddbd4e)
Nessus Plugin ID 211313 with High Severity Synopsis The remote Fedora host is missing one or more security updates. Description The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-8008ddbd4e advisory. Update to 129.0.6668.70 * High CVE-2024-9120: Use after free in Dawn * High CVE-2024-9121: Inappropriate implementation in V8 * High CVE-2024-9122: Type Confusion in V8 * High CVE-2024-9123: Integer overflow in Skia Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. Solution Update the affected chromium package. Read more at https://www.tenable.com/plugins/nessus/211313
Chromium: CVE-2024-9122 Type Confusion in V8
electron31 -- multiple vulnerabilities
Multiple vulnerabilities in Google ChromeOS
A remote attacker can trick the victim to open a specially crafted web page, trigger an integer overflow and execute arbitrary code on the target system. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Long Term Support Channel Update for ChromeOS
A new LTS-126 version 126.0.6478.255 (Platform Version: 15886.80.0), is being rolled out for most ChromeOS devices. This version includes selected security fixes including: 365884464 High CVE-2024-9123 Integer overflow in Skia 365802567 High CVE-2024-9122 Type Confusion in V8 359949835 High CVE-2024-8905 Inappropriate implementation in V8 Release notes for LTS-126 can be found here Want to know more about Long-term Support? Click here Giuliana Pritchard Google Chrome OS
See 68 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI