CVE-2024-9602

Access of Resource Using Incompatible Type ('Type Confusion') (CWE-843)

Published: Oct 8, 2024 / Updated: 42d ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

A Type Confusion vulnerability in V8 in Google Chrome prior to version 129.0.6668.100 allows a remote attacker to perform an out of bounds memory write via a crafted HTML page. This vulnerability is classified as High severity by Chromium security.

Impact

This vulnerability could allow an attacker to execute arbitrary code or cause a denial of service. The attack vector is network-based, requires low attack complexity, and no privileges, but does require user interaction. Successful exploitation could lead to significant compromise of the affected system, potentially allowing attackers to read or modify sensitive data, execute unauthorized code, or disrupt system operations.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been addressed in Google Chrome version 129.0.6668.100 and later.

Mitigation

1. Update Google Chrome to version 129.0.6668.100 or later immediately. 2. If immediate patching is not possible, consider implementing browser isolation techniques or restricting access to untrusted websites. 3. Educate users about the risks of visiting untrusted websites or clicking on suspicious links, as user interaction is required for exploitation. 4. Monitor for any unusual browser activity or system behavior that could indicate exploitation attempts. 5. Consider implementing network segmentation to limit the potential impact if a system is compromised.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9602. See article

Oct 8, 2024 at 10:13 PM / Catalog Updates Archives - Patch My PC
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 8, 2024 at 11:11 PM
CVE Assignment

NVD published the first details for CVE-2024-9602

Oct 8, 2024 at 11:15 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (208278)

Oct 9, 2024 at 1:15 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (208279)

Oct 9, 2024 at 1:15 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 9, 2024 at 10:30 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Oct 9, 2024 at 5:40 PM / nvd
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (208452)

Oct 9, 2024 at 11:15 PM
Threat Intelligence Report

CVE-2024-9602 is a critical type confusion vulnerability in the V8 JavaScript engine, which could potentially allow attackers to execute arbitrary code. The details regarding its exploitation in the wild, proof-of-concept exploits, mitigations, detections, patches, or downstream impacts on third-party vendors are not provided in the available information. Further investigation is necessary to assess the full scope and implications of this vulnerability. See article

Oct 10, 2024 at 9:31 AM
Static CVE Timeline Graph

Affected Systems

Google/chrome
+null more

Patches

Google Chrome chrome-129.0.6668.100
+null more

Vendor Advisory

Stable Channel Update for Desktop
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix.

References

Stable Channel Update for Desktop
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix.
Stable Channel Update for Desktop
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix.
Vulnerabilities in Google Chrome - Cyber Command Corporation
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user.

News

Patch Tuesday November 2024 - 3 Zero Days!
So, without further ado, here’s the chart of MS patches that affect Windows platforms in the past month. Of this months patches only 8 are critical and 88 important.
qt5-webengine -- Multiple vulnerabilities
Third-Party Software Update Catalog Release History – October 2024
Third-Party Software Update Catalog Release History – October 2024 In October 2024, our third-party software update catalog for Microsoft SCCM contained 1457 bug, feature, and security-related updates. Below you will find a full list of relevant updates and new products for October 2024. 1457 Total Updates 512 Security Updates 439 of the 512 security updates include CVE-IDs 105 New Products New Products: Altova XMLSpy 2025 Enterprise Edition 2025.00.00.0 (EXE-x64) Altova XMLSpy 2025 Enterprise Edition 2025.00.00.0 (EXE-x86) Altova XMLSpy 2025 Professional Edition 2025.00.00.0 (EXE-x64) Altova XMLSpy 2025 Professional Edition 2025.00.00.0 (EXE-x86) Amazon Athena ODBC Driver 2.0.3.0 (MSI-x64) Apache Tomcat 11.0 (EXE-x64) Autodesk AutoCAD Mechanical 2022 v26.0.76.0 (EXE-x64) Autodesk AutoCAD Mechanical 2023 v27.0.77.0 (EXE-x64) Autodesk AutoCAD Mechanical 2024 v28.0.91.0 (EXE-x64) Autodesk AutoCAD Mechanical 2025 v29.0.73.0 (EXE-x64) AWP Identity Manager 5.3.5.385 (MSI-x64) AWP Identity Manager 5.3.5.385 (MSI-x86) Cherry Keys 1.0.7.0 (MSI-x64) Cherry Keys 1.0.7.0 (MSI-x86) Connective Signing Plugins 2.0.9.0 (MSI-x86) Dell Peripheral Manager 1.7.6.0 (EXE-x64) DigiDoc4 Client 4.6.0.5305 (MSI-x64) Drata Agent 3.6.1.0 (User-x64) eBuddy 12.4.2.32082 (MSI-x86) eID Software 24.10.18.8368 (EXE-x64) Elgato 4K Capture Utility 1.7.13.6046 (MSI-x64) Elgato Camera Hub 1.11.0.4066 (MSI-x64) Elgato Control Center 1.7.1.600 (MSI-x64) eParakstitajs 3.0 1.8.0.0 (MSI-x64) eParakstitajs 3.0 1.8.0.0 (MSI-x86) EUROMOD 3.7.6.0 (EXE-x64) FastCopy 5.8.0.0 (User-x64) GitHub Desktop 3.4.8 (User-x64) Go Integrator Cara 4.5.0.8688 (EXE) Helix Visual Client P4V 242.43.2.0 (EXE-x64) Helix Visual Client P4V 242.43.2.0 (MSI-x64) INI Viewer and Editor 2.11.0.0 (EXE-x64) Input Director 2.3.0.0 (EXE-x64) Iridium Browser 116.0.0.0 (MSI-x64) Iridium Browser 116.0.0.0 (MSI-x86) JetBrains Rider 2022 223.8836.53.0 (EXE-x86) JetBrains Rider 2023 233.15026.35.0 (EXE-x86) JetBrains Rider 2024 242.23726.100.0 (EXE-x86) JetBrains Rider Latest 242.23726.100.0 (EXE-x86) JetBrains Space 2023.1.7.0 (User-x64) ksnip 1.10.1.0 (MSI-x64) LAV Filters 0.79.2.0 (EXE-x86) LocalSend 1.15.4.0 (EXE-x64) LocalSend 1.15.4.0 (User-x64) MailStore Client 24.100.22356.0 (MSI-x86) MailStore Outlook Add-in 24.100.22356.0 (MSI-x86) MaxCut 2.9.3.4 (EXE-x86) MerciApp 2.6.12 (User-x64) Microsoft Visual Studio Tools for Applications 2015 14.0.23829.0 (EXE-x86) Microsoft Visual Studio Tools for Applications 2017 15.0.26717.0 (EXE-x86) Microsoft Visual Studio Tools for Applications 2019 16.0.31110.0 (EXE-x86) Microsoft Visual Studio Tools for Applications 2022 17.0.33529.0 (EXE-x86) Monosnap 5.1.13.0 (User-x64) Mozilla Firefox ESR 128.3.0 (x64 ja) Mozilla Firefox ESR 128.3.0 (x86 ja) Mozilla Thunderbird 128.3.0 (x64 de) Mozilla Thunderbird 128.3.0 (x64 ES-es) Mozilla Thunderbird 128.3.0 (x64 fr) Mozilla Thunderbird 128.3.0 (x64 it) Mozilla Thunderbird 128.3.0 (x86 de) Mozilla Thunderbird 128.3.0 (x86 ES-es) Mozilla Thunderbird 128.3.0 (x86 fr) Mozilla Thunderbird 128.3.0 (x86 it) MTPuTTY 1.8.5.0 (EXE-x86) MTPuTTY 1.8.5.0 (User-x86) NetPad 0.8.0.0 (EXE-x64) NetPad 0.8.0.0 (User-x64) Nuclino 1.6.5.0 (User-x64) Nullsoft Scriptable Install System 3.10.0.0 (EXE-x86) NVivo 15.0.0.12 (EXE-x64) Octoparse 8.7.2.0 (EXE-x64) Oracle VirtualBox 7.1.2 (EXE-x64) Oracle VirtualBox Latest 7.1.2.0 (EXE-x64) Pix4Dmatic 1.63.1.0 (MSI-x64) Power BI ALM Toolkit 5.1.3.0 (MSI-x64) Prowise Presenter 1.0.0.0 (EXE-x64) Prowise Presenter 1.0.0.0 (MSI-x64) Prowise Reflect 1.2.0.0 (EXE-x86) PrusaSlicer 2.8.1.0 (EXE-x64) PVSOL 2024 v2024.4.0.0 (EXE-x86) PVSOL premium 2024 v2024.8.0.0 (EXE-x86) PVsyst 7.4.8.0 (EXE-x64) Python 3.13.150.0 (EXE-x64) Python 3.13.150.0 (EXE-x86) QENC Decrypter 1.2.0.22173 (EXE-x86) QNAP Qfinder Pro 7.11.1.0726 (EXE-x86) QNAP Qsync Client 5.1.6.0906 (EXE-x86) QuDedup Extract Tool 1.1.5.24208 (EXE-x86) Rainbow 2.139.2.0 (MSI-x86) Rainbow 2.139.2.0 (User-x64) Rancher Desktop 1.16.0.0 (MSI-x64) Regression Suite Automation Tool 2.7.16771.39 (MSI) SBC Configuration Wizard 2.31.0.0 (EXE-x86) Simba Athena ODBC Driver 1.x 1.2.3.1000 (MSI-x64) Simba Athena ODBC Driver 1.x 1.2.3.1000 (MSI-x86) Syslog Viewer 2.25.0.0 (EXE-x64) Tableau Desktop 2024.2 24.2.1060.0 (EXE-x64) Tableau Desktop 2024.3 24.3.425.0 (EXE-x64) Tableau Prep Builder 2024.2 24.2.40000.0 (EXE-x64) Tableau Prep Builder 2024.3 24.3.40066.0 (EXE-x64) Termius 9.8.3.0 (User-x64) Voxbi 2.11.46.0 (MSI-x86) WinDirStat 2.0.3.832 (MSI-x64) WinDirStat 2.0.3.832 (MSI-x86) WinZip 29.0.16250.0 (MSI-x64) Updates Added: (Oldest to Newest) 1Password 8.10.46 (MSI-x64) 1Password 8.10.46 (User) Release Notes for 1Password 8.10.46 Release Type: ⬤ ⬤ Scan Detection Ratio 0/60 VirusTotal Latest Scan Results (MSI-x64) Scan Detection Ratio 0/70 VirusTotal Latest Scan Results (User) Advanced Installer 22.1.0 (MSI-x86) Release Notes for Advanced Installer 22.1.0 (MSI-x86) Release Type: ⬤
Updated chromium-browser-stable packages fix security vulnerabilities
Integer overflow in Layout. (CVE-2024-7025) Insufficient data validation in Mojo. (CVE-2024-9369) Inappropriate implementation in V8. (CVE-2024-9370) Type Confusion in V8. (CVE-2024-9602) Type Confusion in V8....
Vulnerability Summary for the Week of October 7, 2024
High Vulnerabilities Primary Vendor — Product Description Published CVSS Score Source Info Patch Info adobe — animate Animate versions 23.0.7, 24.0.4 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-10-09 7.8 CVE-2024-47410 psirt@adobe.com adobe — animate Animate versions 23.0.7, 24.0.4 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-10-09 7.8 CVE-2024-47411 psirt@adobe.com adobe — animate Animate versions 23.0.7, 24.0.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-10-09 7.8 CVE-2024-47412 psirt@adobe.com adobe — animate Animate versions 23.0.7, 24.0.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-10-09 7.8 CVE-2024-47413 psirt@adobe.com adobe — animate Animate versions 23.0.7, 24.0.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
See 62 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI