⚠ Actively exploited
Added to CISA KEV on 2024-05-13. Federal agencies required to patch by 2024-06-03. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..

CVE-2024-4671Use After Free in Google Chrome

CWE-416Use After Free15 documents13 sources
Severity
9.6CRITICALNVD
EPSS
0.2%
top 62.95%
CISA KEV
KEV
Added 2024-05-13
Due 2024-06-03
Exploit
Exploited in wild
Active exploitation observed
Affected products
3
Google ChromeChromiumFedoraproject Fedora
Timeline
KEV addedMay 13
PublishedMay 14
Latest updateMay 15
KEV dueJun 3
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

Use after free in Visuals in Google Chrome prior to 124.0.6367.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 2.8 | Impact: 6.0

Affected Packages3 packages

CVEListV5google/chrome124.0.6367.201124.0.6367.201
NVDgoogle/chrome< 124.0.6367.201
Debianchromium/chromium< 124.0.6367.201-1~deb12u1+2

Also affects: Fedora 38, 39, 40

🔴Vulnerability Details

4
OSV
CVE-2024-4671: Use after free in Visuals in Google Chrome prior to 1242024-05-14
GHSA
GHSA-gg58-4q4g-xvcw: Use after free in Visuals in Google Chrome prior to 1242024-05-14
CVEList
CVE-2024-4671: Use after free in Visuals in Google Chrome prior to 1242024-05-09
VulnCheck
Google Chromium Visuals Use-After-Free Vulnerability2024

📋Vendor Advisories

5
Microsoft
Chromium: CVE-2024-4671 Use after free in Visuals2024-05-14
CISA
Google Chromium Visuals Use-After-Free Vulnerability2024-05-13
Chrome
Long Term Support Channel Update for ChromeOS: CVE-2024-46712024-05-13
Red Hat
chromium-browser: use after free in Visuals2024-05-10
Debian
CVE-2024-4671: chromium - Use after free in Visuals in Google Chrome prior to 124.0.6367.201 allowed a rem...2024

🕵️Threat Intelligence

5
Bleepingcomputer
Google fixes third actively exploited Chrome zero-day in a week2024-05-15
Schneier
Another Chrome Vulnerability2024-05-14
Qualys
Get Weekends Back: Put Chrome CVEs like CVE-2024-5274 on Auto-Patching | Qualys2024-05-11
Qualys
Get Weekends Back: Put Chrome CVEs like CVE-2024-5274 on Auto-Patching2024-05-11
Bleepingcomputer
Google fixes fifth Chrome zero-day exploited in attacks this year2024-05-10
CVE-2024-4671 — Use After Free in Google Chrome | cvebase