Cyber Resilience

CVE-2024-0519

HighCISA KEVActive ExploitationEUVD Exploited

Published: 16 January 2024

Published
16 January 2024
Modified
24 October 2025
KEV Added
17 January 2024
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0018 38.8th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-0519 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Fedoraproject Fedora. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 38.8th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-0519 is an out-of-bounds memory access vulnerability in the V8 JavaScript engine within Google Chrome versions prior to 120.0.6099.224. The flaw, assigned Chromium security severity High and mapped to CWEs 787 and 125, permits heap corruption when a victim visits a specially crafted HTML page.

A remote attacker can trigger the issue without authentication by serving malicious web content, achieving arbitrary code execution or other impacts that affect confidentiality, integrity, and availability as reflected in the CVSS 8.8 score.

Chrome stable channel updates released on 16 January 2024 address the bug, and downstream distributions such as Fedora have issued corresponding package updates; organizations are advised to apply these patches promptly. The current EPSS score of 0.0018 indicates limited observed exploitation interest.

EU & UK References

Vulnerability details

Out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CWE(s)
KEV Date Added
17 January 2024

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Out-of-bounds memory access in V8 enables remote heap corruption via crafted HTML page, facilitating drive-by compromise (T1189) and exploitation for client execution (T1203).

Affected Assets

google
chrome
≤ 120.0.6099.224
fedoraproject
fedora
38, 39
couchbase
couchbase server
≤ 7.2.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch that eliminates the out-of-bounds memory access flaw in V8.

prevent

Mandates memory-protection mechanisms that can block or contain the heap-corruption primitive exploited by the crafted HTML page.

SC-18 Mobile Code partial match
prevent

Establishes usage restrictions and security controls on mobile code (JavaScript/V8) that can limit exposure to the malicious page.

References