CVE-2024-4947:
CVE-2024-4947 is a type confusion vulnerability in Google's Chrome V8 engine that could allow a remote attacker to execute arbitrary code inside the browser sandbox via a crafted HTML page, affecting Chrome versions prior to 125.0.6422.60.
Score
A numerical rating that indicates how dangerous this vulnerability is.
9.6Critical- Published Date:May 15, 2024
- CISA KEV Date:May 20, 2024
- Industries Affected:20
5 DaysThreat Predictions
- EPSS Score:0.4
- EPSS Percentile:59%
Exploitability
- Score:2.8
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:REQUIRED
- Scope:CHANGED
Impact
- Score:6.0
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
CVE-2024-4947 is a type confusion vulnerability in Google's Chrome V8 engine that could allow a remote attacker to execute arbitrary code inside the browser sandbox via a crafted HTML page, affecting Chrome versions prior to 125.0.6422.60.
Overview
Google Chrome contains a type confusion vulnerability in the V8 engine that could let a remote attacker run arbitrary code in the browser sandbox through a crafted HTML page. The vulnerability affects Chrome versions prior to 125.0.6422.60 and is classified as High severity (CVSS v3.1 base score 9.6). It requires network access and user interaction, with no special privileges needed, and could impact confidentiality, integrity, and availability. A fix has been released in version 125.0.6422.60 and later.
Remediation
- Update Chrome to the latest stable release or at least to version 125.0.6422.60 or newer on all endpoints.
- If managing devices in an organization, ensure automatic updates are enabled (or deploy the update via your standard software update mechanisms) and verify deployment across all systems.
- After updating, restart Chrome and verify that the version is 125.0.6422.60 or newer on affected devices.
- If immediate patching isn’t feasible, implement compensating controls to reduce exposure: restrict or sanitize untrusted HTML content where possible, ensure Chrome sandboxing is active, and monitor for indicators of exploitation; plan for rapid patch deployment as soon as possible.
- Review vendor advisories and release notes related to this CVE, and subscribe to update channels to stay informed about future fixes and mitigations.
References
- - [Chrome stability update for desktop (May 15, 2024)](https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_15.html)
- - [Chromium issue 340221135](https://issues.chromium.org/issues/340221135)
- - [Fedora package-announce (NTSN22LNYXMWHVTYNOYQVOY7VDZFHENQ/)](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NTSN22LNYXMWHVTYNOYQVOY7VDZFHENQ/)
- - [Fedora package-announce (WSUWM73ZCXTN62AT2REYQDD5ZKPFMDZD/)](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSUWM73ZCXTN62AT2REYQDD5ZKPFMDZD/)
- - [Fedora package-announce (6G7EYH2JAK5OJPVNC6AXYQ5K7YGYNCDN/)](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6G7EYH2JAK5OJPVNC6AXYQ5K7YGYNCDN/)
- - [CISA Known Exploited Vulnerabilities Catalog (CVE-2024-4947)](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2024-4947)
Armis Early Warning
Armis Early Warning provides proactive threat intelligence and early detection capabilities.Click here to learn more.
- Armis Alert Date:May 18, 2024
- CISA KEV Date:May 20, 2024
- Days Early:5 Days
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
