⚠ Actively exploited
Added to CISA KEV on 2024-05-20. Federal agencies required to patch by 2024-06-10. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..

CVE-2024-4947Type Confusion in Google Chrome

CWE-843Type ConfusionCWE-416Use After Free16 documents14 sources
Severity
9.6CRITICALNVD
EPSS
0.4%
top 41.89%
CISA KEV
KEV
Added 2024-05-20
Due 2024-06-10
Exploit
Exploited in wild
Active exploitation observed
Affected products
3
Google ChromeChromiumFedoraproject Fedora
Timeline
PublishedMay 15
KEV addedMay 20
KEV dueJun 10
Latest updateOct 23
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

Type Confusion in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 2.8 | Impact: 6.0

Affected Packages3 packages

CVEListV5google/chrome125.0.6422.60125.0.6422.60
NVDgoogle/chrome< 125.0.6422.60
Debianchromium/chromium< 125.0.6422.60-1~deb12u1+2

Also affects: Fedora 38, 39, 40

🔴Vulnerability Details

4
OSV
CVE-2024-4947: Type Confusion in V8 in Google Chrome prior to 1252024-05-15
GHSA
GHSA-p8v3-5hqq-7c5r: Type Confusion in V8 in Google Chrome prior to 1252024-05-15
CVEList
CVE-2024-4947: Type Confusion in V8 in Google Chrome prior to 1252024-05-15
VulnCheck
Google Chromium V8 Type Confusion Vulnerability2024

📋Vendor Advisories

6
Chrome
Long Term Support Channel Update for ChromeOS: CVE-2024-49472024-05-23
CISA
Google Chromium V8 Type Confusion Vulnerability2024-05-20
Red Hat
chromium-browser: Type Confusion in V82024-05-15
Chrome
Stable Channel Update for Desktop: CVE-2024-49502024-05-15
Microsoft
Chromium: CVE-2024-4947 Type Confusion in V82024-05-14

🕵️Threat Intelligence

3
Securelist
The Crypto Game of Lazarus APT: Investors vs. Zero-days2024-10-23
Microsoft
North Korean threat actor Citrine Sleet exploiting Chromium zero-day2024-08-30
Qualys
Get Weekends Back: Put Chrome CVEs like CVE-2024-5274 on Auto-Patching2024-05-11
CVE-2024-4947 — Type Confusion in Google Chrome | cvebase