Cyber Resilience

CVE-2024-12382

High

Published: 12 December 2024

Published
12 December 2024
Modified
13 December 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.1257 94.1th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12382 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 5.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-12382 is a use-after-free vulnerability in the Translate component of Google Chrome versions prior to 131.0.6778.139. The flaw, tracked under CWE-416, can result in heap corruption when processing specially crafted HTML content. It carries a CVSS 3.1 base score of 8.8, reflecting network attack vector, low complexity, and no required privileges.

A remote attacker can trigger the issue by serving a malicious HTML page that the victim visits in an affected browser build. Successful exploitation may allow the attacker to corrupt heap memory and potentially achieve arbitrary code execution or other impacts within the renderer process, though user interaction is required to reach the vulnerable code path.

The Chrome stable-channel update released on 10 December 2024 upgrades the browser to version 131.0.6778.139 and resolves the defect. The associated Chromium issue tracker entry provides additional technical detail for developers and defenders. EPSS scores reached a peak of 0.1692 after disclosure before settling at the current value of 0.1257, indicating a measurable increase in exploitation interest following public release.

EU & UK References

Vulnerability details

Use after free in Translate in Google Chrome prior to 131.0.6778.139 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 131.0.6778.139

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-416

Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.

References