Cyber Resilience

CVE-2024-4947

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 15 May 2024

Published
15 May 2024
Modified
24 October 2025
KEV Added
20 May 2024
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0106 78.1th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-4947 is a critical-severity Type Confusion (CWE-843) vulnerability in Fedoraproject Fedora. Its CVSS base score is 9.6 (Critical).

Operationally, ranked in the top 21.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

CVE-2024-4947 is a type confusion vulnerability in the V8 JavaScript engine within Google Chrome versions prior to 125.0.6422.60. The flaw, assigned CWE-843 and rated High severity by Chromium, carries a CVSS 3.1 score of 9.6 reflecting network attack vector, low complexity, and impacts to confidentiality, integrity, and availability under a changed scope.

A remote attacker can exploit the issue by serving a crafted HTML page that triggers the type confusion, resulting in arbitrary code execution inside the renderer sandbox. No authentication or special privileges are required, though user interaction via the browser is needed to load the malicious content.

Advisories direct users to upgrade to Chrome 125.0.6422.60 or later, as noted in the official stable channel release. Corresponding Fedora package updates have also been published to address the affected Chromium builds in those distributions. The EPSS score reached a peak of 0.0264 after disclosure before settling at the current value of 0.0106.

EU & UK References

Vulnerability details

Type Confusion in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CWE(s)
KEV Date Added
20 May 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 125.0.6422.60
fedoraproject
fedora
38, 39, 40

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch that eliminates the type-confusion flaw in V8.

SC-18 Mobile Code partial match
prevent

Restricts or sandbox-limits execution of untrusted mobile code (JavaScript/HTML) that triggers the V8 flaw.

preventdetect

Malicious-code protections can block or alert on crafted HTML pages designed to exploit the browser engine.

References