Description Preview
This vulnerability (CWE-843) arises from a type confusion in Chrome’s V8 engine that could be exploited by delivering a specially crafted HTML page. If exploited, it could enable remote code execution within the Chrome sandbox. The issue affects Google Chrome versions before 125.0.6422.60, and is rated High severity with a CVSS v3.1 base score of 9.6. The attack vector is Network, with no privileges required, but user interaction is typically needed. Upgrading to Chrome 125.0.6422.60 or newer mitigates the vulnerability, as this fix was released in that version.
Overview
Google Chrome contains a type confusion vulnerability in the V8 engine that could let a remote attacker run arbitrary code in the browser sandbox through a crafted HTML page. The vulnerability affects Chrome versions prior to 125.0.6422.60 and is classified as High severity (CVSS v3.1 base score 9.6). It requires network access and user interaction, with no special privileges needed, and could impact confidentiality, integrity, and availability. A fix has been released in version 125.0.6422.60 and later.
Remediation
- Update Chrome to the latest stable release or at least to version 125.0.6422.60 or newer on all endpoints.
- If managing devices in an organization, ensure automatic updates are enabled (or deploy the update via your standard software update mechanisms) and verify deployment across all systems.
- After updating, restart Chrome and verify that the version is 125.0.6422.60 or newer on affected devices.
- If immediate patching isn’t feasible, implement compensating controls to reduce exposure: restrict or sanitize untrusted HTML content where possible, ensure Chrome sandboxing is active, and monitor for indicators of exploitation; plan for rapid patch deployment as soon as possible.
- Review vendor advisories and release notes related to this CVE, and subscribe to update channels to stay informed about future fixes and mitigations.
References
- Chrome stability update for desktop (May 15, 2024)
- Chromium issue 340221135
- Fedora package-announce (NTSN22LNYXMWHVTYNOYQVOY7VDZFHENQ/)
- Fedora package-announce (WSUWM73ZCXTN62AT2REYQDD5ZKPFMDZD/)
- Fedora package-announce (6G7EYH2JAK5OJPVNC6AXYQ5K7YGYNCDN/)
- CISA Known Exploited Vulnerabilities Catalog (CVE-2024-4947)
Early Warning
Customers using Armis Early Warning were notified about this vulnerability before it appeared in CISA's Known Exploited Vulnerabilities Catalog, enabling them to assess their exposure and act proactively. Armis offers these examples of CVEs already included in CISA KEV for potential customers. Click here to learn how to receive alerts earlier.
- Armis Alert Date
- May 18, 2024
- CISA KEV Date
- May 20, 2024
2days early
Industry ExposureMost to leastThis section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
- ManufacturingManufacturing: Medium
- Public AdministrationPublic Administration: Medium
- Health Care & Social AssistanceHealth Care & Social Assistance: Medium
- Educational ServicesEducational Services: Medium
- Transportation & WarehousingTransportation & Warehousing: Medium
- Finance and InsuranceFinance and Insurance: Medium
- Retail TradeRetail Trade: Medium
- Professional, Scientific, & Technical ServicesProfessional, Scientific, & Technical Services: Medium
- Other Services (except Public Administration)Other Services (except Public Administration): Low
- Arts, Entertainment & RecreationArts, Entertainment & Recreation: Low
- Management of Companies & EnterprisesManagement of Companies & Enterprises: Low
- UtilitiesUtilities: Low
- InformationInformation: Low
- Real Estate Rental & LeasingReal Estate Rental & Leasing: Low
- Accommodation & Food ServicesAccommodation & Food Services: Low
- Agriculture, Forestry Fishing & HuntingAgriculture, Forestry Fishing & Hunting: Low
- MiningMining: Low
- ConstructionConstruction: Low
- Administrative, Support, Waste Management & Remediation ServicesAdministrative, Support, Waste Management & Remediation Services: Low
- Wholesale TradeWholesale Trade: Low
