CVE-2024-4671

CVSS 9.6 CRITICALEPSS 8.3%● KEVCWE-416

Vexday Risk Score

58Attention

SSVC decision (CISA)

Act

Exploitation + impact → act immediately

CVSS 9.6EPSS 8.3%KEV simPoC —Nuclei —Metasploit —Patch —

Lifecycle

09 May 2024Published on NVD

13 May 2024Active exploitation (CISA KEV)

Recommendation: Patch as soon as possible — active exploitation confirmed.

In short

A flaw in Google Chrome's visual rendering allows an attacker who already controls the browser's renderer process to escape the security sandbox through a specially crafted webpage, potentially gaining full system access.

Technical detail

Use-after-free vulnerability in the Visuals component allows a compromised renderer process to bypass sandbox isolation via crafted HTML. The attacker must first compromise the renderer, then trigger memory access after object deallocation to achieve arbitrary code execution with elevated privileges.

Summary generated and translated by AI from the official description.

Use after free in Visuals in Google Chrome prior to 124.0.6367.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected products

Google · Chrome

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References