CVE-2024-7000 — Use After Free in Google Chrome

CWE-416 — Use After Free CWE-754 — Improper Check for Unusual or Exceptional Conditions CWE-923 — Improper Restriction of Communication Channel to Intended Endpoints CWE-229 — Improper Handling of Values36 documents10 sources

Severity

8.8HIGHNVD

OSV7.5

EPSS

0.3%

top 50.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Chrome Chromium Paloalto Prisma Browser

Timeline

PublishedAug 6

Latest updateJan 17

Description

Use after free in CSS in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5google/chrome127.0.6533.72 — 127.0.6533.72

▶NVDgoogle/chrome< 127.0.6533.72

▶Debianchromium/chromium< 127.0.6533.88-1~deb12u1+2

▶Palo Altopaloalto/prisma_browser

🔴Vulnerability Details

OSV

expat vulnerabilities↗2024-09-17

▶

OSV

CVE-2024-7000: Use after free in CSS in Google Chrome prior to 127↗2024-08-06

▶

GHSA

GHSA-g494-wr54-xx2g: Use after free in CSS in Google Chrome prior to 127↗2024-08-06

▶

CVEList

CVE-2024-7000: Use after free in CSS in Google Chrome prior to 127↗2024-08-06

▶

📋Vendor Advisories

Chrome

Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2025-0447↗2025-01-17

▶

Chrome

Stable Channel Update for Desktop: CVE-2025-0434↗2025-01-14

▶

Juniper

CVE-2024-47490: An Improper Restriction of Communication Channel to Intended Endpoints vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos O↗2024-10-11

▶

Chrome

Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2024-7965↗2024-09-09

▶

Chrome

Stable Channel Update for Desktop: CVE-2024-7972↗2024-08-21

▶

💬Community

Bugzilla

CVE-2024-36939 kernel: nfs: Handle error of rpc_proc_register() in nfs_net_init().↗2024-06-03

▶

Bugzilla

CVE-2021-47321 kernel: watchdog: Fix possible use-after-free by calling del_timer_sync()↗2024-05-22

▶

Bugzilla

CVE-2024-35809 kernel: PCI/PM: Drain runtime-idle callbacks before driver removal↗2024-05-17

▶

Bugzilla

CVE-2024-26939 kernel: drm/i915/vma: Fix UAF on destroy against retire race↗2024-05-01

▶

Bugzilla

CVE-2024-27042 kernel: drm/amdgpu: Fix potential out-of-bounds access in 'amdgpu_discovery_reg_base_init()'↗2024-05-01

▶