CVE-2024-9603

Access of Resource Using Incompatible Type ('Type Confusion') (CWE-843)

Published: Oct 8, 2024 / Updated: 42d ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

Type Confusion vulnerability in V8 in Google Chrome prior to version 129.0.6668.100 allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This is classified as a high-severity issue by Chromium security standards.

Impact

This vulnerability could lead to heap corruption, which is a serious security issue. The potential impacts include: 1. Remote Code Execution (RCE): An attacker could potentially execute arbitrary code on the victim's system. 2. Information Disclosure: Sensitive data stored in memory could be exposed. 3. Denial of Service: The application could crash or become unresponsive. 4. Privilege Escalation: In some cases, the attacker might be able to gain elevated privileges on the system. The attack vector is network-based, requiring user interaction (likely visiting a malicious webpage). The vulnerability has high impact on confidentiality, integrity, and availability of the system.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Google Chrome versions 129.0.6668.100 and later have addressed this vulnerability. Users and administrators should update to the latest version of Google Chrome immediately.

Mitigation

1. Update Google Chrome to version 129.0.6668.100 or later immediately. 2. Enable automatic updates for Google Chrome to ensure timely application of security patches. 3. Implement browser isolation technologies to contain potential exploits. 4. Educate users about the risks of visiting untrusted websites. 5. Consider using ad-blockers and script-blockers to reduce exposure to potentially malicious content. 6. Monitor for any unusual activity or crashes in Chrome that could indicate exploitation attempts. 7. In enterprise environments, consider using group policies to force updates and restrict access to potentially dangerous sites.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9603. See article

Oct 8, 2024 at 10:13 PM / Catalog Updates Archives - Patch My PC
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 8, 2024 at 11:11 PM
CVE Assignment

NVD published the first details for CVE-2024-9603

Oct 8, 2024 at 11:15 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (208278)

Oct 9, 2024 at 1:15 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (208279)

Oct 9, 2024 at 1:15 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 9, 2024 at 10:30 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Oct 9, 2024 at 4:40 PM / nvd
Threat Intelligence Report

CVE-2024-9603 is a high-severity Type Confusion vulnerability in V8 within Google Chrome prior to version 129.0.6668.100, with a CVSS base score of 8.8, allowing potential remote code execution and other serious impacts. Currently, there is no evidence of exploitation in the wild or public proof-of-concept exploits, but a patch is available in the latest Chrome version, and detection has been added to Nessus vulnerability scanners. Mitigations include updating Chrome, enabling automatic updates, and educating users about risks associated with untrusted websites. See article

Oct 9, 2024 at 11:06 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (208452)

Oct 9, 2024 at 11:15 PM
Static CVE Timeline Graph

Affected Systems

Google/chrome
+null more

Patches

Google Chrome chrome-129.0.6668.100
+null more

Vendor Advisory

Stable Channel Update for Desktop
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix.

References

Stable Channel Update for Desktop
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix.
Stable Channel Update for Desktop
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix.
Vulnerabilities in Google Chrome - Cyber Command Corporation
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user.

News

Patch Tuesday November 2024 - 3 Zero Days!
So, without further ado, here’s the chart of MS patches that affect Windows platforms in the past month. Of this months patches only 8 are critical and 88 important.
qt5-webengine -- Multiple vulnerabilities
Third-Party Software Update Catalog Release History – October 2024
Third-Party Software Update Catalog Release History – October 2024 In October 2024, our third-party software update catalog for Microsoft SCCM contained 1457 bug, feature, and security-related updates. Below you will find a full list of relevant updates and new products for October 2024. 1457 Total Updates 512 Security Updates 439 of the 512 security updates include CVE-IDs 105 New Products New Products: Altova XMLSpy 2025 Enterprise Edition 2025.00.00.0 (EXE-x64) Altova XMLSpy 2025 Enterprise Edition 2025.00.00.0 (EXE-x86) Altova XMLSpy 2025 Professional Edition 2025.00.00.0 (EXE-x64) Altova XMLSpy 2025 Professional Edition 2025.00.00.0 (EXE-x86) Amazon Athena ODBC Driver 2.0.3.0 (MSI-x64) Apache Tomcat 11.0 (EXE-x64) Autodesk AutoCAD Mechanical 2022 v26.0.76.0 (EXE-x64) Autodesk AutoCAD Mechanical 2023 v27.0.77.0 (EXE-x64) Autodesk AutoCAD Mechanical 2024 v28.0.91.0 (EXE-x64) Autodesk AutoCAD Mechanical 2025 v29.0.73.0 (EXE-x64) AWP Identity Manager 5.3.5.385 (MSI-x64) AWP Identity Manager 5.3.5.385 (MSI-x86) Cherry Keys 1.0.7.0 (MSI-x64) Cherry Keys 1.0.7.0 (MSI-x86) Connective Signing Plugins 2.0.9.0 (MSI-x86) Dell Peripheral Manager 1.7.6.0 (EXE-x64) DigiDoc4 Client 4.6.0.5305 (MSI-x64) Drata Agent 3.6.1.0 (User-x64) eBuddy 12.4.2.32082 (MSI-x86) eID Software 24.10.18.8368 (EXE-x64) Elgato 4K Capture Utility 1.7.13.6046 (MSI-x64) Elgato Camera Hub 1.11.0.4066 (MSI-x64) Elgato Control Center 1.7.1.600 (MSI-x64) eParakstitajs 3.0 1.8.0.0 (MSI-x64) eParakstitajs 3.0 1.8.0.0 (MSI-x86) EUROMOD 3.7.6.0 (EXE-x64) FastCopy 5.8.0.0 (User-x64) GitHub Desktop 3.4.8 (User-x64) Go Integrator Cara 4.5.0.8688 (EXE) Helix Visual Client P4V 242.43.2.0 (EXE-x64) Helix Visual Client P4V 242.43.2.0 (MSI-x64) INI Viewer and Editor 2.11.0.0 (EXE-x64) Input Director 2.3.0.0 (EXE-x64) Iridium Browser 116.0.0.0 (MSI-x64) Iridium Browser 116.0.0.0 (MSI-x86) JetBrains Rider 2022 223.8836.53.0 (EXE-x86) JetBrains Rider 2023 233.15026.35.0 (EXE-x86) JetBrains Rider 2024 242.23726.100.0 (EXE-x86) JetBrains Rider Latest 242.23726.100.0 (EXE-x86) JetBrains Space 2023.1.7.0 (User-x64) ksnip 1.10.1.0 (MSI-x64) LAV Filters 0.79.2.0 (EXE-x86) LocalSend 1.15.4.0 (EXE-x64) LocalSend 1.15.4.0 (User-x64) MailStore Client 24.100.22356.0 (MSI-x86) MailStore Outlook Add-in 24.100.22356.0 (MSI-x86) MaxCut 2.9.3.4 (EXE-x86) MerciApp 2.6.12 (User-x64) Microsoft Visual Studio Tools for Applications 2015 14.0.23829.0 (EXE-x86) Microsoft Visual Studio Tools for Applications 2017 15.0.26717.0 (EXE-x86) Microsoft Visual Studio Tools for Applications 2019 16.0.31110.0 (EXE-x86) Microsoft Visual Studio Tools for Applications 2022 17.0.33529.0 (EXE-x86) Monosnap 5.1.13.0 (User-x64) Mozilla Firefox ESR 128.3.0 (x64 ja) Mozilla Firefox ESR 128.3.0 (x86 ja) Mozilla Thunderbird 128.3.0 (x64 de) Mozilla Thunderbird 128.3.0 (x64 ES-es) Mozilla Thunderbird 128.3.0 (x64 fr) Mozilla Thunderbird 128.3.0 (x64 it) Mozilla Thunderbird 128.3.0 (x86 de) Mozilla Thunderbird 128.3.0 (x86 ES-es) Mozilla Thunderbird 128.3.0 (x86 fr) Mozilla Thunderbird 128.3.0 (x86 it) MTPuTTY 1.8.5.0 (EXE-x86) MTPuTTY 1.8.5.0 (User-x86) NetPad 0.8.0.0 (EXE-x64) NetPad 0.8.0.0 (User-x64) Nuclino 1.6.5.0 (User-x64) Nullsoft Scriptable Install System 3.10.0.0 (EXE-x86) NVivo 15.0.0.12 (EXE-x64) Octoparse 8.7.2.0 (EXE-x64) Oracle VirtualBox 7.1.2 (EXE-x64) Oracle VirtualBox Latest 7.1.2.0 (EXE-x64) Pix4Dmatic 1.63.1.0 (MSI-x64) Power BI ALM Toolkit 5.1.3.0 (MSI-x64) Prowise Presenter 1.0.0.0 (EXE-x64) Prowise Presenter 1.0.0.0 (MSI-x64) Prowise Reflect 1.2.0.0 (EXE-x86) PrusaSlicer 2.8.1.0 (EXE-x64) PVSOL 2024 v2024.4.0.0 (EXE-x86) PVSOL premium 2024 v2024.8.0.0 (EXE-x86) PVsyst 7.4.8.0 (EXE-x64) Python 3.13.150.0 (EXE-x64) Python 3.13.150.0 (EXE-x86) QENC Decrypter 1.2.0.22173 (EXE-x86) QNAP Qfinder Pro 7.11.1.0726 (EXE-x86) QNAP Qsync Client 5.1.6.0906 (EXE-x86) QuDedup Extract Tool 1.1.5.24208 (EXE-x86) Rainbow 2.139.2.0 (MSI-x86) Rainbow 2.139.2.0 (User-x64) Rancher Desktop 1.16.0.0 (MSI-x64) Regression Suite Automation Tool 2.7.16771.39 (MSI) SBC Configuration Wizard 2.31.0.0 (EXE-x86) Simba Athena ODBC Driver 1.x 1.2.3.1000 (MSI-x64) Simba Athena ODBC Driver 1.x 1.2.3.1000 (MSI-x86) Syslog Viewer 2.25.0.0 (EXE-x64) Tableau Desktop 2024.2 24.2.1060.0 (EXE-x64) Tableau Desktop 2024.3 24.3.425.0 (EXE-x64) Tableau Prep Builder 2024.2 24.2.40000.0 (EXE-x64) Tableau Prep Builder 2024.3 24.3.40066.0 (EXE-x64) Termius 9.8.3.0 (User-x64) Voxbi 2.11.46.0 (MSI-x86) WinDirStat 2.0.3.832 (MSI-x64) WinDirStat 2.0.3.832 (MSI-x86) WinZip 29.0.16250.0 (MSI-x64) Updates Added: (Oldest to Newest) 1Password 8.10.46 (MSI-x64) 1Password 8.10.46 (User) Release Notes for 1Password 8.10.46 Release Type: ⬤ ⬤ Scan Detection Ratio 0/60 VirusTotal Latest Scan Results (MSI-x64) Scan Detection Ratio 0/70 VirusTotal Latest Scan Results (User) Advanced Installer 22.1.0 (MSI-x86) Release Notes for Advanced Installer 22.1.0 (MSI-x86) Release Type: ⬤
Vulnerability Summary for the Week of October 7, 2024
High Vulnerabilities Primary Vendor — Product Description Published CVSS Score Source Info Patch Info adobe — animate Animate versions 23.0.7, 24.0.4 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-10-09 7.8 CVE-2024-47410 psirt@adobe.com adobe — animate Animate versions 23.0.7, 24.0.4 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-10-09 7.8 CVE-2024-47411 psirt@adobe.com adobe — animate Animate versions 23.0.7, 24.0.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-10-09 7.8 CVE-2024-47412 psirt@adobe.com adobe — animate Animate versions 23.0.7, 24.0.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-10-09 7.8 CVE-2024-47413 psirt@adobe.com adobe — animate Animate versions 23.0.7, 24.0.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
freebsd 815bf172-ab9e-4c4b-9662-d18b0054330d: electron{31,32} -- multiple vulnerabilities
Released Last Updated: 10/18/2024 CVEs: CVE-2024-9602 , CVE-2024-9603 Plugins: 209292
See 61 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI