cbcvebase.
CVE-2024-4671
published 2024-05-14

CVE-2024-4671: Use after free in Visuals in Google Chrome prior to 124.0.6367.201 allowed a remote attacker who had compromised the renderer process to potentially perform a…

PriorityP187critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-06-03
Exploited in the wild
EPSS
8.35%
94.3th percentile
Use after free in Visuals in Google Chrome prior to 124.0.6367.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Affected

11 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 124.0.6367.201-1~deb12u1124.0.6367.201-1~deb12u1
chromiumchromium>= 0 < 124.0.6367.201-1124.0.6367.201-1
chromiumchromium>= 0 < 124.0.6367.201-1124.0.6367.201-1
debianchromium< chromium 124.0.6367.201-1~deb12u1 (bookworm)chromium 124.0.6367.201-1~deb12u1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
googlechrome< 124.0.6367.201124.0.6367.201
googlechrome>= 124.0.6367.201 < 124.0.6367.201124.0.6367.201
googlechrome_chrome
msrcmicrosoft_edge

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://track-adv[.]com/analytics.php?personalization_id=
domaintrack-adv[.]com
domainceo-adviser[.]com
urlhttps://track-adv[.]com/market-analytics.php?pc=1
urlhttps://ceo-adviser[.]com/fb-connect.php?online=1
otherindexedDB database named 'tracker' (Chrome exploit client-side state storage)
otherURL parameter tt= with unique identifier format (e.g., 2msa5mmjhqxpdsyb5vlcnd2t)
versionChrome 124.0.6367.201/.202 (Mac/Windows), 124.0.6367.201 (Linux) — patched versions
  • Detect malicious iframes injected into legitimate Mongolian government websites (mfa.gov.mn, cabinet.gov.mn) pointing to attacker-controlled domains track-adv[.]com or ceo-adviser[.]com via obfuscated JavaScript.
  • Monitor for client-side indexedDB creation with the database name 'tracker', which is used by the Chrome exploit chain to store attack stage/status information.
  • Look for HTTP requests containing the 'tt=' parameter with a 24-character alphanumeric unique identifier across all stages of the exploit chain, as this is a consistent C2 tracking pattern.
  • The Chrome exploit chain targets Android users running Chrome versions m121 to m123; prioritize detection and patching on Android Chrome in that version range.
  • The exploit uses ECDH key exchange for stage encryption (unlike prior campaigns using a static key from C2); network traffic showing ECDH key negotiation before exploit delivery is a behavioral indicator.
  • ·The exploit chain only targeted Android users running Chrome versions m121–m123; users on patched versions (124.0.6367.201+) or non-Android platforms were not the intended targets of the CVE-2024-4671 sandbox escape.

CVSS provenance

nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
osv9.6CRITICAL
vulncheck9.6CRITICAL
cisa9.6CRITICAL
vendor_debian9.6CRITICAL
vendor_msrc9.6CRITICAL
vendor_redhat9.6CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.