FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-9961

Use After Free (CWE-416)

Published: Oct 15, 2024 / Updated: 35d ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

Use after free vulnerability in ParcelTracking in Google Chrome on iOS prior to version 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. This vulnerability has been classified with a Chromium security severity of Medium.

Impact

This vulnerability could potentially lead to heap corruption, which may result in arbitrary code execution, information disclosure, or application crashes. The impact is significant, with high potential for compromising confidentiality, integrity, and availability of the affected system. However, it requires user interaction, which somewhat limits its severity. The CVSS v3.1 base score is 8.8 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating high impact on confidentiality, integrity, and availability.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been addressed in Google Chrome for iOS version 130.0.6723.58 and later.

Mitigation

1. Update Google Chrome on iOS devices to version 130.0.6723.58 or later. 2. Educate users about the risks of interacting with suspicious or unknown web content. 3. Implement browser isolation techniques to contain potential exploits. 4. Use content filtering or web security gateways to block access to potentially malicious websites. 5. Enable automatic updates for Google Chrome to ensure timely application of security patches.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (380705)

Oct 15, 2024 at 7:53 AM
First Article

Feedly found the first article mentioning CVE-2024-9961. See article

Oct 15, 2024 at 8:05 PM / Neowin News Feed for: Software
CVE Assignment

NVD published the first details for CVE-2024-9961

Oct 15, 2024 at 9:15 PM
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 15, 2024 at 9:21 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (209038)

Oct 15, 2024 at 11:15 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (209037)

Oct 15, 2024 at 11:15 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (209036)

Oct 15, 2024 at 11:15 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 16, 2024 at 9:58 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Oct 16, 2024 at 8:40 PM / nvd
Static CVE Timeline Graph

Affected Systems

Google/chrome
+null more

Patches

Microsoft
+null more

References

MS-ISAC CYBERSECURITY ADVISORY - Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution - PATCH NOW
Top posts on r/k12cybersecurity / 34d
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user.

News

Multiple vulnerabilities in Prisma Access Browser
Security feed from CyberSecurity Help / 17h
A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Fedora 41 : chromium (2024-3a6f9ab958)
Newest Plugins from Tenable / 5d
Nessus Plugin ID 211343 with High Severity Synopsis The remote Fedora host is missing one or more security updates. Description The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-3a6f9ab958 advisory. Update to 130.0.6723.58 * High CVE-2024-9954: Use after free in AI * Medium CVE-2024-9955: Use after free in Web Authentication * Medium CVE-2024-9956: Inappropriate implementation in Web Authentication * Medium CVE-2024-9957: Use after free in UI * Medium CVE-2024-9958: Inappropriate implementation in PictureInPicture * Medium CVE-2024-9959: Use after free in DevTools * Medium CVE-2024-9960: Use after free in Dawn * Medium CVE-2024-9961:
Patch Tuesday November 2024 - 3 Zero Days!
Ultimate Windows Security Newsletter / 6d
So, without further ado, here’s the chart of MS patches that affect Windows platforms in the past month. Of this months patches only 8 are critical and 88 important.
PAN-SA-2024-0016 Chromium: Monthly Vulnerability Updates (Severity: HIGH)
Palo Alto Networks Security Advisories / 6d
Product Confidentiality HIGH Product Integrity HIGH
Chromium: CVE-2024-9961 Use after free in Parcel Tracking
Fedia / 12d
See 49 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

CVSS 8.8(18246)CWE-416(5008)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial