CVE-2024-5274
Published: 28 May 2024
Summary
CVE-2024-5274 is a critical-severity Type Confusion (CWE-843) vulnerability in Fedoraproject Fedora. Its CVSS base score is 9.6 (Critical).
Operationally, ranked in the top 8.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).
Deeper analysis
Type Confusion in the V8 JavaScript engine affected Google Chrome versions prior to 125.0.6422.112. The flaw, tracked as CVE-2024-5274 with CVSS 9.6 and CWE-843, permitted a remote attacker to trigger the vulnerability through a specially crafted HTML page.
An unauthenticated remote attacker could exploit the issue by convincing a user to visit a malicious web page, resulting in arbitrary code execution within the renderer sandbox. The attack requires user interaction via the UI but needs no other privileges.
Chrome stable channel updates released on 23 May 2024 upgraded the browser to version 125.0.6422.112 or later, addressing the type confusion. Corresponding packages were issued for Fedora and other distributions referencing the same Chromium fix.
EPSS for the CVE rose from lower values to a peak of 0.1289 on 2026-02-03 before receding to the current 0.0664, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-46510
Vulnerability details
Type Confusion in V8 in Google Chrome prior to 125.0.6422.112 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
- KEV Date Added
- 28 May 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of patches to remediate the type-confusion flaw in V8 before exploitation occurs.
Provides mechanisms to detect and block malicious code delivered via crafted HTML/JS pages that trigger the V8 vulnerability.
Requires integrity verification of browser binaries and components to ensure only patched versions of Chrome execute.