CVE-2024-0517
published 2024-01-16CVE-2024-0517: Out of bounds write in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page…
PriorityP262high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
21.70%
97.3th percentile
Out of bounds write in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 120.0.6099.224-1~deb11u1 | 120.0.6099.224-1~deb11u1 |
| chromium | chromium | >= 0 < 120.0.6099.224-1~deb12u1 | 120.0.6099.224-1~deb12u1 |
| chromium | chromium | >= 0 < 120.0.6099.224-1 | 120.0.6099.224-1 |
| chromium | chromium | >= 0 < 120.0.6099.224-1 | 120.0.6099.224-1 |
| debian | chromium | < chromium 120.0.6099.224-1~deb12u1 (bookworm) | chromium 120.0.6099.224-1~deb12u1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| chrome | < 120.0.6099.224 | 120.0.6099.224 | |
| chrome | >= 120.0.6099.224 < 120.0.6099.224 | 120.0.6099.224 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger vector is a crafted HTML page delivered remotely, targeting the V8 JavaScript engine's out-of-bounds write to achieve heap corruption — monitor for suspicious/malformed HTML pages served to Chrome/Edge users running versions prior to 120.0.6099.224. ↗
- →Check Point Harmony IPS signature 'Google Chrome Out of Bounds Write (CVE-2024-0517)' can be used as a network-level detection reference for this vulnerability. ↗
- →Chromium bug tracker ID 1507412 is associated with this CVE; can be used to cross-reference patch diffs or PoC code for rule development. ↗
- ·The vulnerability is fixed in Chrome 120.0.6099.224 and Microsoft Edge 120.0.2210.144; detections targeting unpatched versions should be scoped to browsers older than these builds. ↗
- ·Debian-based Linux systems running Chromium should verify the fixed package version 120.0.6099.224-1~deb12u1 (bookworm) or 120.0.6099.224-1~deb11u1 (bullseye) is installed, as the scope is listed as local on the Debian tracker. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v39r-662x-j524: Out of bounds write in V8 in Google Chrome prior to 120
ghsa_unreviewed·2024-01-17
CVE-2024-0517 [HIGH] CWE-787 GHSA-v39r-662x-j524: Out of bounds write in V8 in Google Chrome prior to 120
Out of bounds write in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
OSV
CVE-2024-0517: Out of bounds write in V8 in Google Chrome prior to 120
osv·2024-01-16·CVSS 8.8
CVE-2024-0517 [HIGH] CVE-2024-0517: Out of bounds write in V8 in Google Chrome prior to 120
Out of bounds write in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Chrome
Stable Channel Update for Desktop: CVE-2024-0517
vendor_chrome·2024-01-16·CVSS 8.8
CVE-2024-0517 [HIGH] Stable Channel Update for Desktop: CVE-2024-0517
Stable Channel Update for Desktop
CVE-2024-0517: Out of bounds write in V8. Reported by Toan (suto) Pham of Qrious Secure on 2024-01-06 [$1000][ 1507412 ] High CVE-2024-0518: Type Confusion in V8
Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2023-12-03 [$TBD][ 1517354 ] High CVE-2024-0519: Out of bounds memory access in V8
Severity: high
Microsoft
Chromium: CVE-2024-0517 Out of bounds write in V8
vendor_msrc·2024-01-09·CVSS 8.8
CVE-2024-0517 [HIGH] Chromium: CVE-2024-0517 Out of bounds write in V8
Chromium: CVE-2024-0517 Out of bounds write in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the browser?
In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
Click on Help and Feedback
Click on About Microsoft Edge
FAQ: Wha
Debian
CVE-2024-0517: chromium - Out of bounds write in V8 in Google Chrome prior to 120.0.6099.224 allowed a rem...
vendor_debian·2024·CVSS 8.8
CVE-2024-0517 [HIGH] CVE-2024-0517: chromium - Out of bounds write in V8 in Google Chrome prior to 120.0.6099.224 allowed a rem...
Out of bounds write in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Scope: local
bookworm: resolved (fixed in 120.0.6099.224-1~deb12u1)
bullseye: resolved (fixed in 120.0.6099.224-1~deb11u1)
forky: resolved (fixed in 120.0.6099.224-1)
sid: resolved (fixed in 120.0.6099.224-1)
trixie: resolved (fixed in 120.0.6099.224-1)
Suricata
GPL SNMP public access tcp
suricata·2010-09-23
CVE-1999-0517 GPL SNMP public access tcp
GPL SNMP public access tcp
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP public access tcp"; flow:established,to_server; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101412; rev:15; metadata:created_at 2010_09_23, cve CVE_1999_0517, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
No public exploits indexed.
Checkpoint
5th February – Threat Intelligence Report
blogs_checkpoint·2024-02-05
CVE-2024-21893 5th February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 5th February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 5th February, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
AnyDesk Software GmbH , the company behind the popular remote desktop application, has confirmed a cybersecurity incident in which the attackers gained access to company’s production systems. Reportedly, source code and private code signing keys were stolen during the attack. As part of the response, AnyDesk have revoked
Bleepingcomputer
Google fixes first actively exploited Chrome zero-day of 2024
blogs_bleepingcomputer·2024-01-16·CVSS 8.8
CVE-2024-0519 [HIGH] Google fixes first actively exploited Chrome zero-day of 2024
## Google fixes first actively exploited Chrome zero-day of 2024
## Sergiu Gatlan
Although Google says the security update could take days or weeks to reach all impacted users, it was available immediately when BleepingComputer checked for updates today.
Those who prefer not to update their web browser manually can rely on Chrome to automatically check for new updates and install them after the next launch.
The high-severity zero-day vulnerability ( CVE-2024-0519 ) is due to a high-severity out-of-bounds memory access weakness in the Chrome V8 JavaScript engine, which remote attackers can exploit via a crafted HTML page to gain access to data beyond the memory buffer through heap corruption, providing them access to sensitive information or triggering a crash.
"The expected sentinel
https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_16.htmlhttps://crbug.com/1515930https://lists.fedoraproject.org/archives/list/[email protected]/message/IIUBRVICICWREJQUVT67RS7E4PVZQ5RS/https://lists.fedoraproject.org/archives/list/[email protected]/message/TNN4SO5UI3U3Q6ASTVT6WMZ4723FYDLH/https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_16.htmlhttps://crbug.com/1515930https://lists.fedoraproject.org/archives/list/[email protected]/message/IIUBRVICICWREJQUVT67RS7E4PVZQ5RS/https://lists.fedoraproject.org/archives/list/[email protected]/message/TNN4SO5UI3U3Q6ASTVT6WMZ4723FYDLH/https://www.vicarius.io/vsociety/posts/out-of-bound-write-in-v8-javascript-engine-cve-2024-0517
2024-01-16
Published