cbcvebase.
CVE-2024-5274
published 2024-05-28

CVE-2024-5274: Type Confusion in V8 in Google Chrome prior to 125.0.6422.112 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page…

PriorityP188critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-06-18
Exploited in the wild
EPSS
10.02%
95.0th percentile
Type Confusion in V8 in Google Chrome prior to 125.0.6422.112 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Affected

10 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 125.0.6422.112-1~deb12u1125.0.6422.112-1~deb12u1
chromiumchromium>= 0 < 125.0.6422.112-1125.0.6422.112-1
chromiumchromium>= 0 < 125.0.6422.112-1125.0.6422.112-1
debianchromium< chromium 125.0.6422.112-1~deb12u1 (bookworm)chromium 125.0.6422.112-1~deb12u1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
googlechrome< 125.0.6422.112125.0.6422.112
googlechrome>= 125.0.6422.112 < 125.0.6422.112125.0.6422.112
googlechrome_chrome
msrcmicrosoft_edge

Detection & IOCsextracted from sources · hover to see the quote

domaintrack-adv[.]com
domainceo-adviser[.]com
urlhttps://track-adv[.]com/analytics.php?personalization_id=
urlhttps://track-adv[.]com/market-analytics.php?pc=1
urlhttps://ceo-adviser[.]com/fb-connect.php?online=1
domainvoyagorclub[.]space
domainweinsteinfrog[.]com
  • The Chrome exploit chain for CVE-2024-5274 targets Android users running Chrome versions m121 to m123; detections should focus on unpatched Chrome versions below 125.0.6422.112 on Android devices visiting compromised Mongolian government sites.
  • The exploit delivery uses obfuscated JavaScript to inject a malicious iframe; monitor for obfuscated JS dynamically injecting iframes pointing to attacker-controlled domains with 'personalization_id=' query parameters.
  • The exploit chain uses IndexedDB database named 'tracker' on the client side to store status information; presence of an IndexedDB store named 'tracker' created by a suspicious origin may indicate active exploitation.
  • A unique session identifier matching the format of 25-character alphanumeric strings (e.g., '2msa5mmjhqxpdsyb5vlcnd2t') is passed as the 'tt=' URL parameter across all exploit stages; monitor for this pattern in HTTP requests to suspicious domains.
  • The exploit uses ECDH key exchange before sending exploit stages; unlike earlier campaigns that used a static decryption key from C2, detection of dynamic ECDH-based key negotiation in early HTTP exchanges may indicate this exploit chain.
  • CVE-2024-5274 is chained with CVE-2024-4671 (sandbox escape); detections should look for the combined exploitation of both vulnerabilities in the same session, as CVE-2024-5274 alone only compromises the renderer.
  • ·The CVE-2024-5274 exploit was effective only against Chrome versions m121 through m123 on Android; devices running Chrome 125.0.6422.112 or later are patched and not vulnerable.

CVSS provenance

nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
osv9.6CRITICAL
vulncheck9.6CRITICAL
cisa9.6CRITICAL
vendor_debian9.6CRITICAL
vendor_msrc9.6CRITICAL
vendor_redhat9.6CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.