Cyber Resilience

CVE-2024-12692

High

Published: 18 December 2024

Published
18 December 2024
Modified
11 February 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0539 90.3th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12692 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 9.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability is a type confusion flaw, tracked as CWE-843, in the V8 JavaScript engine of Google Chrome versions prior to 131.0.6778.204. It carries a CVSS 3.1 base score of 8.8 and was assigned high severity by the Chromium project, with the root cause allowing heap corruption when processing malicious input.

A remote attacker can exploit the issue without authentication by serving a crafted HTML page that triggers the type confusion during JavaScript execution. Successful exploitation can result in heap corruption that leads to confidentiality, integrity, and availability impacts on the affected browser process.

The referenced Chrome stable channel update and associated Chromium issue tracker entry indicate that the flaw is resolved by upgrading to version 131.0.6778.204 or later. The EPSS score has remained low, with a current value of 0.0539 and a peak of 0.0685.

EU & UK References

Vulnerability details

Type Confusion in V8 in Google Chrome prior to 131.0.6778.204 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 131.0.6778.204

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References