CVE-2024-4671
Published: 14 May 2024
Summary
CVE-2024-4671 is a critical-severity Use After Free (CWE-416) vulnerability in Fedoraproject Fedora. Its CVSS base score is 9.6 (Critical).
Operationally, ranked in the top 31.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).
Deeper analysis
CVE-2024-4671 is a use-after-free vulnerability (CWE-416) in the Visuals component of Google Chrome versions prior to 124.0.6367.201. The flaw resides in the renderer process and carries a CVSS 3.1 score of 9.6, reflecting network attack vectors with low complexity and high impact across confidentiality, integrity, and availability when the sandbox boundary is crossed.
An attacker who has already achieved code execution inside the renderer can supply a specially crafted HTML page that triggers the use-after-free condition, enabling a sandbox escape and potential elevation to higher-privilege execution on the host system. The attack requires user interaction such as visiting a malicious web page but does not require additional privileges beyond renderer compromise.
Public advisories direct users to update to Chrome 124.0.6367.201 or later; corresponding packages have been issued for Fedora and other distributions to address the issue in stable channels.
EPSS scores rose from a low baseline to a peak of 0.0197 on the disclosure date of 14 May 2024 before receding to the current value of 0.0057, indicating transient post-disclosure interest without confirmed in-the-wild exploitation at this time.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-44272
Vulnerability details
Use after free in Visuals in Google Chrome prior to 124.0.6367.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
- KEV Date Added
- 13 May 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patch that eliminates the use-after-free flaw in Chrome 124.0.6367.201.
Enforces separate execution domains for renderer processes, limiting the initial compromise surface that the sandbox-escape exploit relies on.
Mandates memory-protection safeguards that can block or contain use-after-free exploitation attempts within the compromised renderer.