CVE-2024-12382
Published: 12 December 2024
Summary
CVE-2024-12382 is a high-severity Use After Free (CWE-416) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 5.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-12382 is a use-after-free vulnerability in the Translate component of Google Chrome versions prior to 131.0.6778.139. The flaw, tracked under CWE-416, can result in heap corruption when processing specially crafted HTML content. It carries a CVSS 3.1 base score of 8.8, reflecting network attack vector, low complexity, and no required privileges.
A remote attacker can trigger the issue by serving a malicious HTML page that the victim visits in an affected browser build. Successful exploitation may allow the attacker to corrupt heap memory and potentially achieve arbitrary code execution or other impacts within the renderer process, though user interaction is required to reach the vulnerable code path.
The Chrome stable-channel update released on 10 December 2024 upgrades the browser to version 131.0.6778.139 and resolves the defect. The associated Chromium issue tracker entry provides additional technical detail for developers and defenders. EPSS scores reached a peak of 0.1692 after disclosure before settling at the current value of 0.1257, indicating a measurable increase in exploitation interest following public release.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-50816
Vulnerability details
Use after free in Translate in Google Chrome prior to 131.0.6778.139 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.