CVE-2024-9954

Use After Free (CWE-416)

Published: Oct 15, 2024 / Updated: 35d ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

A use-after-free vulnerability in the AI component of Google Chrome versions prior to 130.0.6723.58 has been identified. This vulnerability allows a remote attacker to potentially exploit heap corruption through a crafted HTML page. The Chromium security severity for this issue is rated as High.

Impact

This vulnerability could allow an attacker to execute arbitrary code, potentially leading to full system compromise. The impact is severe, affecting all three main aspects of security: 1. Confidentiality: High impact, potentially allowing unauthorized access to sensitive data. 2. Integrity: High impact, possibly enabling attackers to modify or corrupt system data. 3. Availability: High impact, potentially causing system crashes or making resources unavailable. The attack vector is network-based, requiring user interaction (likely visiting a malicious webpage), but no special privileges are needed to exploit it. The CVSS base score for this vulnerability is 8.8, indicating a high severity level.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Google Chrome versions 130.0.6723.58 and later have addressed this vulnerability. Users and administrators should update to this version or newer to mitigate the risk.

Mitigation

1. Update Google Chrome to version 130.0.6723.58 or later immediately. 2. Enable automatic updates for Chrome to ensure future security patches are applied promptly. 3. Implement network segmentation and access controls to limit potential attack surfaces. 4. Educate users about the risks of clicking on unknown links or visiting untrusted websites. 5. Consider using browser isolation technologies for high-risk users or environments. 6. Monitor for any suspicious activities or unexpected behavior in Chrome installations.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (380705)

Oct 15, 2024 at 7:53 AM
First Article

Feedly found the first article mentioning CVE-2024-9954. See article

Oct 15, 2024 at 8:05 PM / Neowin News Feed for: Software
CVE Assignment

NVD published the first details for CVE-2024-9954

Oct 15, 2024 at 9:15 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (209038)

Oct 15, 2024 at 11:15 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (209037)

Oct 15, 2024 at 11:15 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (209036)

Oct 15, 2024 at 11:15 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 16, 2024 at 9:58 AM
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 16, 2024 at 5:23 PM
CVSS

A CVSS base score of 8.8 has been assigned.

Oct 17, 2024 at 8:00 PM / nvd
Static CVE Timeline Graph

Affected Systems

Google/chrome
+null more

Patches

Microsoft
+null more

References

Stable Channel Update for ChromeOS / ChromeOS Flex
ChromeOS Vulnerability Rewards Program Reported Bug Fixes: Beta Specific: ChromeOS Beta Help Community
Stable Channel Update for ChromeOS / ChromeOS Flex
ChromeOS Vulnerability Rewards Program Reported Bug Fixes: Beta Specific: ChromeOS Beta Help Community
Stable Channel Update for Desktop
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. This update includes 17 security fixes.
See 2 more references

News

Multiple vulnerabilities in Prisma Access Browser
A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Fedora 41 : chromium (2024-3a6f9ab958)
Nessus Plugin ID 211343 with High Severity Synopsis The remote Fedora host is missing one or more security updates. Description The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-3a6f9ab958 advisory. Update to 130.0.6723.58 * High CVE-2024-9954: Use after free in AI * Medium CVE-2024-9955: Use after free in Web Authentication * Medium CVE-2024-9956: Inappropriate implementation in Web Authentication * Medium CVE-2024-9957: Use after free in UI * Medium CVE-2024-9958: Inappropriate implementation in PictureInPicture * Medium CVE-2024-9959: Use after free in DevTools * Medium CVE-2024-9960: Use after free in Dawn * Medium CVE-2024-9961:
Patch Tuesday November 2024 - 3 Zero Days!
So, without further ado, here’s the chart of MS patches that affect Windows platforms in the past month. Of this months patches only 8 are critical and 88 important.
PAN-SA-2024-0016 Chromium: Monthly Vulnerability Updates (Severity: HIGH)
Product Confidentiality HIGH Product Integrity HIGH
Chromium: CVE-2024-9954 Use after free in AI
See 69 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI