CVE-2024-0519
published 2024-01-16CVE-2024-0519: Out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML…
PriorityP184high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-02-07
Exploited in the wild
EPSS
3.77%
88.6th percentile
Out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 120.0.6099.224-1~deb11u1 | 120.0.6099.224-1~deb11u1 |
| chromium | chromium | >= 0 < 120.0.6099.224-1~deb12u1 | 120.0.6099.224-1~deb12u1 |
| chromium | chromium | >= 0 < 120.0.6099.224-1 | 120.0.6099.224-1 |
| chromium | chromium | >= 0 < 120.0.6099.224-1 | 120.0.6099.224-1 |
| couchbase | couchbase_server | < 7.2.5 | 7.2.5 |
| debian | chromium | < chromium 120.0.6099.224-1~deb12u1 (bookworm) | chromium 120.0.6099.224-1~deb12u1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| chrome | < 120.0.6099.224 | 120.0.6099.224 | |
| chrome | >= 120.0.6099.224 < 120.0.6099.224 | 120.0.6099.224 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2024-0519 is an out-of-bounds memory access vulnerability in the Chrome V8 JavaScript engine, exploitable via a crafted HTML page leading to heap corruption; any Chrome version prior to 120.0.6099.224 is vulnerable and actively exploited in the wild ↗
- →The vulnerability allows remote attackers to exploit heap corruption via a specially crafted HTML page, leading to unauthorized access to sensitive information; monitor for anomalous V8 heap activity or renderer crashes triggered by HTML page loads ↗
- →CVE-2024-0519 was confirmed exploited in the wild (zero-day); treat any unpatched Chrome instance below version 120.0.6099.224 as actively at risk ↗
- →Exploitation can result in browser crashes on unpatched versions; anomalous Chrome renderer process crashes may be an indicator of exploitation attempts ↗
- ·Fixed version for Chrome stable channel is 120.0.6099.224; Debian packages fixed in 120.0.6099.224-1~deb12u1 (bookworm), 120.0.6099.224-1~deb11u1 (bullseye), and 120.0.6099.224-1 (sid/trixie/forky) ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vg6w-jr5m-86c8: Out of bounds memory access in V8 in Google Chrome prior to 120
ghsa_unreviewed·2024-01-17
CVE-2024-0519 [HIGH] CWE-125 GHSA-vg6w-jr5m-86c8: Out of bounds memory access in V8 in Google Chrome prior to 120
Out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
OSV
CVE-2024-0519: Out of bounds memory access in V8 in Google Chrome prior to 120
osv·2024-01-16·CVSS 8.8
CVE-2024-0519 [HIGH] CVE-2024-0519: Out of bounds memory access in V8 in Google Chrome prior to 120
Out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
VulnCheck
Google Chromium V8 Out-of-Bounds Memory Access Vulnerability
vulncheck·2024·CVSS 8.8
CVE-2024-0519 [HIGH] CWE-787 Google Chromium V8 Out-of-Bounds Memory Access Vulnerability
Google Chromium V8 Out-of-Bounds Memory Access Vulnerability
Google Chromium V8 Engine contains an out-of-bounds memory access vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Affected: Google Chromium V8
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_16.html; https://www.cisa.gov/sites/default/files/feeds/known_
Chrome
Long Term Support Channel Update for ChromeOS: CVE-2024-0519
vendor_chrome·2024-01-18·CVSS 8.8
CVE-2024-0519 [HIGH] Long Term Support Channel Update for ChromeOS: CVE-2024-0519
Long Term Support Channel Update for ChromeOS
CVE-2024-0519
CISA
Google Chromium V8 Out-of-Bounds Memory Access Vulnerability
cisa·2024-01-17·CVSS 8.8
CVE-2024-0519 [HIGH] CWE-787 Google Chromium V8 Out-of-Bounds Memory Access Vulnerability
Vulnerability: Google Chromium V8 Out-of-Bounds Memory Access Vulnerability
Affected: Google Chromium V8
Google Chromium V8 Engine contains an out-of-bounds memory access vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_16.html; https://nvd.nist.gov/vuln/detail/CVE-2024-0519
Remediation Due Date: 2024-02-07
Chrome
Stable Channel Update for Desktop: CVE-2024-0517
vendor_chrome·2024-01-16·CVSS 8.8
CVE-2024-0517 [HIGH] Stable Channel Update for Desktop: CVE-2024-0517
Stable Channel Update for Desktop
CVE-2024-0517: Out of bounds write in V8. Reported by Toan (suto) Pham of Qrious Secure on 2024-01-06 [$1000][ 1507412 ] High CVE-2024-0518: Type Confusion in V8
Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2023-12-03 [$TBD][ 1517354 ] High CVE-2024-0519: Out of bounds memory access in V8
Severity: high
Microsoft
Chromium: CVE-2024-0519 Out of bounds memory access in V8
vendor_msrc·2024-01-09·CVSS 8.8
CVE-2024-0519 [HIGH] Chromium: CVE-2024-0519 Out of bounds memory access in V8
Chromium: CVE-2024-0519 Out of bounds memory access in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
Google is aware of reports that an exploit for CVE-2024-0519 exists in the wild.
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the browser?
In your Microsoft Edge browser, click on the 3 dots (...) on the very right-ha
Debian
CVE-2024-0519: chromium - Out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allow...
vendor_debian·2024·CVSS 8.8
CVE-2024-0519 [HIGH] CVE-2024-0519: chromium - Out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allow...
Out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Scope: local
bookworm: resolved (fixed in 120.0.6099.224-1~deb12u1)
bullseye: resolved (fixed in 120.0.6099.224-1~deb11u1)
forky: resolved (fixed in 120.0.6099.224-1)
sid: resolved (fixed in 120.0.6099.224-1)
trixie: resolved (fixed in 120.0.6099.224-1)
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Google patches new Chrome zero-day flaw exploited in the wild
blogs_bleepingcomputer·2026-06-09·CVSS 8.8
CVE-2026-11645 [HIGH] Google patches new Chrome zero-day flaw exploited in the wild
## Google patches new Chrome zero-day flaw exploited in the wild
## Sergiu Gatlan
While Google says the security update could take days or weeks to reach all Chrome users, the update was available immediately when BleepingComputer checked for updates earlier today.
Users who prefer not to manually update their web browser can rely on Chrome to automatically check for updates and install them during the next launch.
This high-severity zero-day vulnerability ( CVE-2026-11645 ) stems from an out-of-bounds read and write weakness in the Chrome V8 JavaScript engine, which remote attackers can exploit via crafted HTML pages to execute arbitrary code inside the web browser's sandbox.
Successful exploitation enables them to access data beyond the memory buffer via heap corruption, exposing s
Mandiant
Look What You Made Us Patch: 2025 Zero-Days in Review
blogs_mandiant·2026-03-05
Look What You Made Us Patch: 2025 Zero-Days in Review
Threat Intelligence
# Look What You Made Us Patch: 2025 Zero-Days in Review
March 5, 2026
##### Google Threat Intelligence Group
##### Google Threat Intelligence
Visibility and context on the threats that matter most.
Contact Us & Get a Demo
Written by: Casey Charrier, James Sadowski, Zander Work, Clement Lecigne, Benoît Sevens, Fred Plan
### Executive Summary
Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025. Although that volume of zero-days is lower than the record high observed in 2023 (100), it is higher than 2024’s count (78) and remained within the 60–100 range established over the previous four years, indicating a trend toward stabilization at these levels.
In 2025, we continued to observe the structural shift, first
Mandiant
Look What You Made Us Patch: 2025 Zero-Days in Review
blogs_mandiant·2026-03-05
Look What You Made Us Patch: 2025 Zero-Days in Review
## Look What You Made Us Patch: 2025 Zero-Days in Review
## Google Threat Intelligence Group
## Google Threat Intelligence
Visibility and context on the threats that matter most.
Written by: Casey Charrier, James Sadowski, Zander Work, Clement Lecigne, Benoît Sevens, Fred Plan
## Executive Summary
Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025. Although that volume of zero-days is lower than the record high observed in 2023 (100), it is higher than 2024’s count (78) and remained within the 60–100 range established over the previous four years, indicating a trend toward stabilization at these levels.
In 2025, we continued to observe the structural shift, first identified in 2024, toward increased enterprise exploitation. Both
Bleepingcomputer
Google tags a tenth Chrome zero-day as exploited this year
blogs_bleepingcomputer·2024-08-26·CVSS 8.8
CVE-2024-7971 [HIGH] Google tags a tenth Chrome zero-day as exploited this year
## Google tags a tenth Chrome zero-day as exploited this year
## Sergiu Gatlan
This was announced in an update to a blog post where the company revealed last week that it had fixed another high-severity zero-day vulnerability (CVE-2024-7971) caused by a V8 type confusion weakness.
"Updated on 26 August 2024 to reflect the in the wild exploitation of CVE-2024-7965 which was reported after this release," the company said in today's update . "Google is aware that exploits for CVE-2024-7971 and CVE-2024-7965 exist in the wild."
Google has fixed both zero-days in Chrome version 128.0.6613.84/.85 for Windows/macOS systems and version 128.0.6613.84 Linux users, which have been rolling out to all users in the Stable Desktop channel since Wednesday.
Even though Chrome will automatically update
Bleepingcomputer
Google fixes ninth Chrome zero-day tagged as exploited this year
blogs_bleepingcomputer·2024-08-21·CVSS 8.8
CVE-2024-7971 [HIGH] Google fixes ninth Chrome zero-day tagged as exploited this year
## Google fixes ninth Chrome zero-day tagged as exploited this year
## Sergiu Gatlan
Today, Google released a new Chrome emergency security update to patch a zero-day vulnerability tagged as exploited in attacks.
"Google is aware that an exploit for CVE-2024-7971 exists in the wild," the company said in an advisory published on Wednesday.
This high-severity zero-day vulnerability is caused by a type confusion weakness in Chrome's V8 JavaScript engine. Security researchers with the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) reported it on Monday.
Although such security flaws can commonly enable attackers to trigger browser crashes after data allocated into memory is interpreted as a different type, they can also exploit them for arbitra
Bleepingcomputer
Google fixes eighth actively exploited Chrome zero-day this year
blogs_bleepingcomputer·2024-05-24·CVSS 8.8
[HIGH] Google fixes eighth actively exploited Chrome zero-day this year
## Google fixes eighth actively exploited Chrome zero-day this year
## Bill Toulas
A "type confusion" vulnerability occurs when a program allocates a piece of memory to hold a certain type of data but mistakenly interprets the data as a different type. This can lead to crashes, data corruption, as well as arbitrary code execution.
Google has not shared technical details about the flaw to protect users from potential exploitation attempts from other threat actors and allow them to install a browser version that addresses the problem.
"Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed," said the t
Bleepingcomputer
Google fixes third actively exploited Chrome zero-day in a week
blogs_bleepingcomputer·2024-05-15·CVSS 8.8
CVE-2024-4671 [HIGH] Google fixes third actively exploited Chrome zero-day in a week
## Google fixes third actively exploited Chrome zero-day in a week
## Sergiu Gatlan
Although such flaws generally enable threat actors to trigger browser crashes by reading or writing memory out of buffer bounds, they can also exploit them for arbitrary code execution on targeted devices.
The other two actively exploited Chrome zero-days patched this week are CVE-2024-4671 (a use-after-free flaw in the Visuals component) and CVE-2024-4761 (an out-of-bounds write bug in the V8 JavaScript engine).
Microsoft also said it's "aware of the recent exploits existing in the wild" targeting CVE-2024-4947 and that its engineers are "actively working on releasing a security fix" for the Chromium-based Edge web browser.
## Fix rolling out to Stable channel users
The company fixed the zero-day fla
Bleepingcomputer
Google Chrome emergency update fixes 6th zero-day exploited in 2024
blogs_bleepingcomputer·2024-05-14·CVSS 8.8
CVE-2024-4761 [HIGH] Google Chrome emergency update fixes 6th zero-day exploited in 2024
## Google Chrome emergency update fixes 6th zero-day exploited in 2024
## Bill Toulas
Out-of-bounds write issues occur when a program is allowed to write data outside the specified array or buffer, potentially leading to unauthorized data access, arbitrary code execution, or program crashes.
“Google is aware that an exploit for CVE-2024-4761 exists in the wild,” reads the advisory .
The company fixed the security flaw with the release of 124.0.6367.207/.208 for Mac/Windows and 124.0.6367.207 for Linux. The updates will roll out to all users over the coming days/weeks.
For users of the ‘Extended Stable’ channel, fixes will be made available in version 124.0.6367.207 for Mac and Windows.
Chrome updates automatically when a security update is available, but users can confirm they’re run
Bleepingcomputer
Google fixes fifth Chrome zero-day exploited in attacks this year
blogs_bleepingcomputer·2024-05-10·CVSS 8.8
CVE-2024-4671 [HIGH] Google fixes fifth Chrome zero-day exploited in attacks this year
## Google fixes fifth Chrome zero-day exploited in attacks this year
## Bill Toulas
“Google is aware that an exploit for CVE-2024-4671 exists in the wild,” reads the advisory , without providing additional information.
Use after-free flaws are security flaws that occur when a program continues to use a pointer after the memory it points to has been freed, following the completion of its legitimate operations on that region.
Because the freed memory could now contain different data or be used by other software or components, accessing it could result in data leakage, code execution, or crash.
Google addressed the problem with the release of 124.0.6367.201/.202 for Mac/Windows and 124.0.6367.201 for Linux, with the updates rolling out over the coming days/weeks.
For users of the ‘Exten
Bleepingcomputer
Google fixes one more Chrome zero-day exploited at Pwn2Own
blogs_bleepingcomputer·2024-04-03·CVSS 8.8
[HIGH] Google fixes one more Chrome zero-day exploited at Pwn2Own
## Google fixes one more Chrome zero-day exploited at Pwn2Own
## Sergiu Gatlan
Palo Alto Networks security researchers Edouard Bochin and Tao Yan demoed the zero-day on the second day of Pwn2Own Vancouver 2024 to defeat V8 hardening.
Their double-tap exploit allowed them to execute arbitrary code on Google Chrome and Microsoft Edge, earning them a $42,500 award.
Google has now fixed the zero-day in the Google Chrome stable channel version 123.0.6312.105/.106/.107 (Windows and Mac) and 123.0.6312.105 (Linux), which will roll out worldwide over the coming days.
One week ago, Google fixed two more Chrome zero-days exploited at Pwn2Own Vancouver 2024. The first, a high-severity type confusion weakness (CVE-2024-2887) in the WebAssembly (Wasm) open standard, was targeted by Manfred Paul's
Bleepingcomputer
Google fixes Chrome zero-days exploited at Pwn2Own 2024
blogs_bleepingcomputer·2024-03-27·CVSS 8.8
CVE-2024-2886 [HIGH] Google fixes Chrome zero-days exploited at Pwn2Own 2024
## Google fixes Chrome zero-days exploited at Pwn2Own 2024
## Sergiu Gatlan
Described as a use-after-free (UAF) weakness in the WebCodecs API used by web apps to encode and decode audio and video content, it allows remote attackers to perform arbitrary reads/writes via crafted HTML pages.
Lee also used CVE-2024-2886 to gain remote code execution using a single exploit targeting both Google Chrome and Microsoft Edge.
Google fixed the two zero-days in the Google Chrome stable channel, version 123.0.6312.86/.87 for Windows and Mac and 123.0.6312.86 for Linux users, which will roll out worldwide over the coming days.
Mozilla also fixed two Firefox zero-days exploited by Manfred Paul at Pwn2Own Vancouver 2024 on the same day the bugs were demoed.
While it only took Mozille one day and Goo
Bleepingcomputer
CISA pushes federal agencies to patch Citrix RCE within a week
blogs_bleepingcomputer·2024-01-17·CVSS 5.5
[MEDIUM] CISA pushes federal agencies to patch Citrix RCE within a week
## CISA pushes federal agencies to patch Citrix RCE within a week
## Sergiu Gatlan
Today, CISA ordered U.S. federal agencies to secure their systems against three recently patched Citrix NetScaler and Google Chrome zero-days actively exploited in attacks, pushing for a Citrix RCE bug to be patched within a week.
The cybersecurity agency added the flaws to its Known Exploited Vulnerabilities Catalog today, saying that such vulnerabilities are "frequent attack vectors for malicious cyber actors" that pose "significant risks to the federal enterprise."
Citrix urged customers on Tuesday to immediately patch Internet-exposed Netscaler ADC and Gateway appliances against the CVE-2023-6548 code injection vulnerability and the CVE-2023-6549 buffer overflow impacting the Netscaler management int
Bleepingcomputer
Google fixes first actively exploited Chrome zero-day of 2024
blogs_bleepingcomputer·2024-01-16·CVSS 8.8
CVE-2024-0519 [HIGH] Google fixes first actively exploited Chrome zero-day of 2024
## Google fixes first actively exploited Chrome zero-day of 2024
## Sergiu Gatlan
Although Google says the security update could take days or weeks to reach all impacted users, it was available immediately when BleepingComputer checked for updates today.
Those who prefer not to update their web browser manually can rely on Chrome to automatically check for new updates and install them after the next launch.
The high-severity zero-day vulnerability ( CVE-2024-0519 ) is due to a high-severity out-of-bounds memory access weakness in the Chrome V8 JavaScript engine, which remote attackers can exploit via a crafted HTML page to gain access to data beyond the memory buffer through heap corruption, providing them access to sensitive information or triggering a crash.
"The expected sentinel
https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_16.htmlhttps://crbug.com/1517354https://lists.fedoraproject.org/archives/list/[email protected]/message/IIUBRVICICWREJQUVT67RS7E4PVZQ5RS/https://lists.fedoraproject.org/archives/list/[email protected]/message/TNN4SO5UI3U3Q6ASTVT6WMZ4723FYDLH/https://www.couchbase.com/alerts/https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_16.htmlhttps://crbug.com/1517354https://lists.fedoraproject.org/archives/list/[email protected]/message/IIUBRVICICWREJQUVT67RS7E4PVZQ5RS/https://lists.fedoraproject.org/archives/list/[email protected]/message/TNN4SO5UI3U3Q6ASTVT6WMZ4723FYDLH/https://www.couchbase.com/alerts/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-0519
2024-01-16
Published
2024-01-17
Added to CISA KEV
Exploited in the wild