CVE-2024-4761
published 2024-05-14CVE-2024-4761: Out of bounds write in V8 in Google Chrome prior to 124.0.6367.207 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page…
PriorityP185high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-06-06
Exploited in the wild
EPSS
11.01%
95.3th percentile
Out of bounds write in V8 in Google Chrome prior to 124.0.6367.207 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 124.0.6367.207-1~deb12u1 | 124.0.6367.207-1~deb12u1 |
| chromium | chromium | >= 0 < 124.0.6367.207-1 | 124.0.6367.207-1 |
| chromium | chromium | >= 0 < 124.0.6367.207-1 | 124.0.6367.207-1 |
| debian | chromium | < chromium 124.0.6367.207-1~deb12u1 (bookworm) | chromium 124.0.6367.207-1~deb12u1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| chrome | < 124.0.6367.207 | 124.0.6367.207 | |
| chrome | >= 124.0.6367.207 < 124.0.6367.207 | 124.0.6367.207 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2024-4761 is an out-of-bounds write in Chrome's V8 JavaScript engine triggered via a crafted HTML page; confirmed exploited in the wild as of May 13, 2024. Flag Chrome versions prior to 124.0.6367.207 and Edge versions prior to 124.0.2478.105. ↗
- →Google has confirmed an exploit for CVE-2024-4761 exists in the wild; treat any unpatched Chrome/Edge instance as a high-priority remediation target. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2024-4761: Out of bounds write in V8 in Google Chrome prior to 124
osv·2024-05-14·CVSS 8.8
CVE-2024-4761 [HIGH] CVE-2024-4761: Out of bounds write in V8 in Google Chrome prior to 124
Out of bounds write in V8 in Google Chrome prior to 124.0.6367.207 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
GHSA
GHSA-8q82-45v9-cmr9: Out of bounds write in V8 in Google Chrome prior to 124
ghsa_unreviewed·2024-05-14
CVE-2024-4761 [HIGH] CWE-787 GHSA-8q82-45v9-cmr9: Out of bounds write in V8 in Google Chrome prior to 124
Out of bounds write in V8 in Google Chrome prior to 124.0.6367.207 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
VulnCheck
Google Chromium V8 Out-of-Bounds Memory Write Vulnerability
vulncheck·2024·CVSS 8.8
CVE-2024-4761 [HIGH] CWE-787 Google Chromium V8 Out-of-Bounds Memory Write Vulnerability
Google Chromium V8 Out-of-Bounds Memory Write Vulnerability
Google Chromium V8 Engine contains an unspecified out-of-bounds memory write vulnerability via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Affected: Google Chromium V8
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_13.html; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.uptycs.com/blog
Chrome
Long Term Support Channel Update for ChromeOS: CVE-2024-4761
vendor_chrome·2024-05-23·CVSS 8.8
CVE-2024-4761 [HIGH] Long Term Support Channel Update for ChromeOS: CVE-2024-4761
Long Term Support Channel Update for ChromeOS
CVE-2024-4761
CISA
Google Chromium V8 Out-of-Bounds Memory Write Vulnerability
cisa·2024-05-16·CVSS 8.8
CVE-2024-4761 [HIGH] CWE-787 Google Chromium V8 Out-of-Bounds Memory Write Vulnerability
Vulnerability: Google Chromium V8 Out-of-Bounds Memory Write Vulnerability
Affected: Google Chromium V8
Google Chromium V8 Engine contains an unspecified out-of-bounds memory write vulnerability via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_13.html; https://nvd.nist.gov/vuln/detail/CVE-2024-4761
Remediation Due Date: 2024-06-06
Microsoft
Chromium: CVE-2024-4761 Out of bounds write in V8
vendor_msrc·2024-05-14·CVSS 8.8
CVE-2024-4761 [HIGH] Chromium: CVE-2024-4761 Out of bounds write in V8
Chromium: CVE-2024-4761 Out of bounds write in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
Google is aware that an exploit for CVE-2024-4761 exists in the wild.
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the browser?
In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the wind
Red Hat
chromium-browser: Out of bounds write in V8
vendor_redhat·2024-05-13·CVSS 8.8
CVE-2024-4761 [HIGH] CWE-787 chromium-browser: Out of bounds write in V8
chromium-browser: Out of bounds write in V8
Out of bounds write in V8 in Google Chrome prior to 124.0.6367.207 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
An out-of-bounds write vulnerability was found in the Chromium web browser. If a remote, unauthenticated attacker tricks a user into visiting a specially crafted HTML page, the attacker could write to memory, which is out of bounds. This issue could have impacts to integrity, availability, and confidentiality.
Statement: Chromium is not shipped in any supported Red Hat offerings.
Mitigation: Until updated packages are released for Fedora and EPEL, consider temporarily swapping to an alternative web browser such as Firefox or severely restricting activi
Debian
CVE-2024-4761: chromium - Out of bounds write in V8 in Google Chrome prior to 124.0.6367.207 allowed a rem...
vendor_debian·2024·CVSS 8.8
CVE-2024-4761 [HIGH] CVE-2024-4761: chromium - Out of bounds write in V8 in Google Chrome prior to 124.0.6367.207 allowed a rem...
Out of bounds write in V8 in Google Chrome prior to 124.0.6367.207 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
Scope: local
bookworm: resolved (fixed in 124.0.6367.207-1~deb12u1)
bullseye: open
forky: resolved (fixed in 124.0.6367.207-1)
sid: resolved (fixed in 124.0.6367.207-1)
trixie: resolved (fixed in 124.0.6367.207-1)
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Google tags a tenth Chrome zero-day as exploited this year
blogs_bleepingcomputer·2024-08-26·CVSS 8.8
CVE-2024-7971 [HIGH] Google tags a tenth Chrome zero-day as exploited this year
## Google tags a tenth Chrome zero-day as exploited this year
## Sergiu Gatlan
This was announced in an update to a blog post where the company revealed last week that it had fixed another high-severity zero-day vulnerability (CVE-2024-7971) caused by a V8 type confusion weakness.
"Updated on 26 August 2024 to reflect the in the wild exploitation of CVE-2024-7965 which was reported after this release," the company said in today's update . "Google is aware that exploits for CVE-2024-7971 and CVE-2024-7965 exist in the wild."
Google has fixed both zero-days in Chrome version 128.0.6613.84/.85 for Windows/macOS systems and version 128.0.6613.84 Linux users, which have been rolling out to all users in the Stable Desktop channel since Wednesday.
Even though Chrome will automatically update
Bleepingcomputer
Google fixes ninth Chrome zero-day tagged as exploited this year
blogs_bleepingcomputer·2024-08-21·CVSS 8.8
CVE-2024-7971 [HIGH] Google fixes ninth Chrome zero-day tagged as exploited this year
## Google fixes ninth Chrome zero-day tagged as exploited this year
## Sergiu Gatlan
Today, Google released a new Chrome emergency security update to patch a zero-day vulnerability tagged as exploited in attacks.
"Google is aware that an exploit for CVE-2024-7971 exists in the wild," the company said in an advisory published on Wednesday.
This high-severity zero-day vulnerability is caused by a type confusion weakness in Chrome's V8 JavaScript engine. Security researchers with the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) reported it on Monday.
Although such security flaws can commonly enable attackers to trigger browser crashes after data allocated into memory is interpreted as a different type, they can also exploit them for arbitra
Bleepingcomputer
Google fixes eighth actively exploited Chrome zero-day this year
blogs_bleepingcomputer·2024-05-24·CVSS 8.8
[HIGH] Google fixes eighth actively exploited Chrome zero-day this year
## Google fixes eighth actively exploited Chrome zero-day this year
## Bill Toulas
A "type confusion" vulnerability occurs when a program allocates a piece of memory to hold a certain type of data but mistakenly interprets the data as a different type. This can lead to crashes, data corruption, as well as arbitrary code execution.
Google has not shared technical details about the flaw to protect users from potential exploitation attempts from other threat actors and allow them to install a browser version that addresses the problem.
"Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed," said the t
Checkpoint
20th May – Threat Intelligence Report
blogs_checkpoint·2024-05-20
CVE-2024-30051 20th May – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 20th May – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 20th May, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Australian electronic prescriptions provider MediSecure suffered a significant ransomware attack, leading to widespread disruptions and data breaches. The impact of the attack has been profound, broadly affecting healthcare data broadly in the country.
WebTPA, an American healthcare management and administrative services provide
Bleepingcomputer
CISA warns of hackers exploiting Chrome, EoL D-Link bugs
blogs_bleepingcomputer·2024-05-19·CVSS 8.8
[HIGH] CISA warns of hackers exploiting Chrome, EoL D-Link bugs
## CISA warns of hackers exploiting Chrome, EoL D-Link bugs
## Bill Toulas
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added three security vulnerabilities to its 'Known Exploited Vulnerabilities' catalog, one impacting Google Chrome and two affecting some D-Link routers.
Adding the issues to the KEV catalog serves as a warning to federal agencies and companies that threat actors are leveraging them in attacks and security updates or mitigations should be applied.
Federal agencies in the U.S. have until June 6th to replace affected devices or implement defenses that reduce or eliminate the risk of an attack.
## Actively exploited flaws
The vulnerability in Google Chrome, tracked as CVE-2024-4761 , has been confirmed by the vendor as actively exploited on May 13
Bleepingcomputer
Google fixes third actively exploited Chrome zero-day in a week
blogs_bleepingcomputer·2024-05-15·CVSS 8.8
CVE-2024-4671 [HIGH] Google fixes third actively exploited Chrome zero-day in a week
## Google fixes third actively exploited Chrome zero-day in a week
## Sergiu Gatlan
Although such flaws generally enable threat actors to trigger browser crashes by reading or writing memory out of buffer bounds, they can also exploit them for arbitrary code execution on targeted devices.
The other two actively exploited Chrome zero-days patched this week are CVE-2024-4671 (a use-after-free flaw in the Visuals component) and CVE-2024-4761 (an out-of-bounds write bug in the V8 JavaScript engine).
Microsoft also said it's "aware of the recent exploits existing in the wild" targeting CVE-2024-4947 and that its engineers are "actively working on releasing a security fix" for the Chromium-based Edge web browser.
## Fix rolling out to Stable channel users
The company fixed the zero-day fla
Bleepingcomputer
Google Chrome emergency update fixes 6th zero-day exploited in 2024
blogs_bleepingcomputer·2024-05-14·CVSS 8.8
CVE-2024-4761 [HIGH] Google Chrome emergency update fixes 6th zero-day exploited in 2024
## Google Chrome emergency update fixes 6th zero-day exploited in 2024
## Bill Toulas
Out-of-bounds write issues occur when a program is allowed to write data outside the specified array or buffer, potentially leading to unauthorized data access, arbitrary code execution, or program crashes.
“Google is aware that an exploit for CVE-2024-4761 exists in the wild,” reads the advisory .
The company fixed the security flaw with the release of 124.0.6367.207/.208 for Mac/Windows and 124.0.6367.207 for Linux. The updates will roll out to all users over the coming days/weeks.
For users of the ‘Extended Stable’ channel, fixes will be made available in version 124.0.6367.207 for Mac and Windows.
Chrome updates automatically when a security update is available, but users can confirm they’re run
Qualys
Get Weekends Back: Put Chrome CVEs like CVE-2024-5274 on Auto-Patching | Qualys
blogs_qualys·2024-05-11·CVSS 9.6
CVE-2024-4671 [CRITICAL] Get Weekends Back: Put Chrome CVEs like CVE-2024-5274 on Auto-Patching | Qualys
#### Table of Contents
- Using Qualys and Zero-Touch Patching to Mitigate Risks
- Leveraging Qualys for Enhanced Security
- Google Chrome Zero-Day Update CVE-2024-4947 May 15, 2024
- Google Chrome Zero-Day Update CVE-2024-5274 May 24, 2024
On May 9th, Google released an emergency update for its Chrome browser to patch a critical zero-day vulnerability, CVE-2024-4671. The “use after free” vulnerability affects the Visuals component of Chrome, which is responsible for rendering and displaying content. CVE-2024-4671 was identified and reported to Google by an anonymous researcher. The company has disclosed that this vulnerability is likely being actively exploited. This vulnerability exploits a flaw in which a program continues to use a memory pointer after it has been freed, potentially le
Qualys
Get Weekends Back: Put Chrome CVEs like CVE-2024-5274 on Auto-Patching
blogs_qualys·2024-05-11·CVSS 9.6
CVE-2024-4947 [CRITICAL] Get Weekends Back: Put Chrome CVEs like CVE-2024-5274 on Auto-Patching
## Table of Contents
Using Qualys and Zero-Touch Patching to Mitigate Risks
Leveraging Qualys for Enhanced Security
Google Chrome Zero-Day Update CVE-2024-4947 May 15, 2024
Google Chrome Zero-Day Update CVE-2024-5274 May 24, 2024
On May 9th, Google released an emergency update for its Chrome browser to patch a critical zero-day vulnerability, CVE-2024-4671 . The “use after free” vulnerability affects the Visuals component of Chrome, which is responsible for rendering and displaying content. CVE-2024-4671 was identified and reported to Google by an anonymous researcher. The company has disclosed that this vulnerability is likely being actively exploited. This vulnerability exploits a flaw in which a program continues to use a memory pointer after it has been freed, potentially leading
https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_13.htmlhttps://issues.chromium.org/issues/339458194https://lists.fedoraproject.org/archives/list/[email protected]/message/6G7EYH2JAK5OJPVNC6AXYQ5K7YGYNCDN/https://lists.fedoraproject.org/archives/list/[email protected]/message/NTSN22LNYXMWHVTYNOYQVOY7VDZFHENQ/https://lists.fedoraproject.org/archives/list/[email protected]/message/WSUWM73ZCXTN62AT2REYQDD5ZKPFMDZD/https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_13.htmlhttps://issues.chromium.org/issues/339458194https://lists.fedoraproject.org/archives/list/[email protected]/message/6G7EYH2JAK5OJPVNC6AXYQ5K7YGYNCDN/https://lists.fedoraproject.org/archives/list/[email protected]/message/NTSN22LNYXMWHVTYNOYQVOY7VDZFHENQ/https://lists.fedoraproject.org/archives/list/[email protected]/message/WSUWM73ZCXTN62AT2REYQDD5ZKPFMDZD/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4761
2024-05-14
Published
2024-05-16
Added to CISA KEV
Exploited in the wild