Cyber Resilience

CVE-2024-5274

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 28 May 2024

Published
28 May 2024
Modified
24 October 2025
KEV Added
28 May 2024
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0664 91.4th percentile
Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-5274 is a critical-severity Type Confusion (CWE-843) vulnerability in Fedoraproject Fedora. Its CVSS base score is 9.6 (Critical).

Operationally, ranked in the top 8.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).

Deeper analysis

Type Confusion in the V8 JavaScript engine affected Google Chrome versions prior to 125.0.6422.112. The flaw, tracked as CVE-2024-5274 with CVSS 9.6 and CWE-843, permitted a remote attacker to trigger the vulnerability through a specially crafted HTML page.

An unauthenticated remote attacker could exploit the issue by convincing a user to visit a malicious web page, resulting in arbitrary code execution within the renderer sandbox. The attack requires user interaction via the UI but needs no other privileges.

Chrome stable channel updates released on 23 May 2024 upgraded the browser to version 125.0.6422.112 or later, addressing the type confusion. Corresponding packages were issued for Fedora and other distributions referencing the same Chromium fix.

EPSS for the CVE rose from lower values to a peak of 0.1289 on 2026-02-03 before receding to the current 0.0664, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

Type Confusion in V8 in Google Chrome prior to 125.0.6422.112 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CWE(s)
KEV Date Added
28 May 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 125.0.6422.112
fedoraproject
fedora
39, 40

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of patches to remediate the type-confusion flaw in V8 before exploitation occurs.

preventdetect

Provides mechanisms to detect and block malicious code delivered via crafted HTML/JS pages that trigger the V8 vulnerability.

prevent

Requires integrity verification of browser binaries and components to ensure only patched versions of Chrome execute.

References