CVE-2024-0519
Published: 16 January 2024
Summary
CVE-2024-0519 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Fedoraproject Fedora. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 38.8th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-0519 is an out-of-bounds memory access vulnerability in the V8 JavaScript engine within Google Chrome versions prior to 120.0.6099.224. The flaw, assigned Chromium security severity High and mapped to CWEs 787 and 125, permits heap corruption when a victim visits a specially crafted HTML page.
A remote attacker can trigger the issue without authentication by serving malicious web content, achieving arbitrary code execution or other impacts that affect confidentiality, integrity, and availability as reflected in the CVSS 8.8 score.
Chrome stable channel updates released on 16 January 2024 address the bug, and downstream distributions such as Fedora have issued corresponding package updates; organizations are advised to apply these patches promptly. The current EPSS score of 0.0018 indicates limited observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-16314
Vulnerability details
Out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
- KEV Date Added
- 17 January 2024
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds memory access in V8 enables remote heap corruption via crafted HTML page, facilitating drive-by compromise (T1189) and exploitation for client execution (T1203).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patch that eliminates the out-of-bounds memory access flaw in V8.
Mandates memory-protection mechanisms that can block or contain the heap-corruption primitive exploited by the crafted HTML page.
Establishes usage restrictions and security controls on mobile code (JavaScript/V8) that can limit exposure to the malicious page.