Cyber Resilience

CVE-2024-12381

High

Published: 12 December 2024

Published
12 December 2024
Modified
13 December 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0663 91.4th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12381 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 8.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-12381 is a type confusion vulnerability in the V8 JavaScript engine within Google Chrome versions prior to 131.0.6778.139. The flaw, assigned CWE-843, can result in heap corruption when a specially crafted HTML page is processed, carrying a CVSS 3.1 score of 8.8 reflecting high impact on confidentiality, integrity, and availability.

A remote attacker can trigger the issue by convincing a user to visit a malicious web page, allowing potential exploitation of the resulting memory corruption without requiring authentication or elevated privileges.

The referenced Chrome stable channel update and Chromium issue tracker entry indicate that the vulnerability is addressed by upgrading to version 131.0.6778.139 or later.

EPSS for this CVE rose from lower values to a peak of 0.1094 on 2026-02-23 before receding to the current 0.0663, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

Type Confusion in V8 in Google Chrome prior to 131.0.6778.139 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 131.0.6778.139

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References