Cyber Resilience

CVE-2024-5830

High

Published: 11 June 2024

Published
11 June 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0976 93.1th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-5830 is a high-severity Type Confusion (CWE-843) vulnerability in Fedoraproject Fedora. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 6.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-5830 is a type confusion vulnerability in the V8 JavaScript engine within Google Chrome versions prior to 126.0.6478.54. The flaw, tracked under CWEs 843 and 787, permits an out-of-bounds memory write when a victim visits a specially crafted HTML page. It carries a CVSS 3.1 base score of 8.8 and was rated High severity by the Chromium project.

A remote attacker can exploit the issue without authentication by serving malicious web content that triggers the type confusion during JavaScript execution. Successful exploitation grants the ability to corrupt memory outside intended bounds, which can be leveraged to achieve arbitrary code execution or other high-impact effects on the confidentiality, integrity, and availability of the browser process.

Chrome stable channel updates released on 11 June 2024 advise users to upgrade immediately to version 126.0.6478.54 or later; downstream distributions such as Fedora have published corresponding package advisories directing administrators to apply the patched builds. The EPSS score has remained flat at 0.0976 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

Type Confusion in V8 in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Type confusion vulnerability in Chrome V8 JavaScript engine enables remote attackers to achieve out-of-bounds memory write via crafted HTML page, facilitating drive-by compromise (T1189) and exploitation for client execution (T1203).

Affected Assets

google
chrome
≤ 126.0.6478.54
fedoraproject
fedora
39, 40

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References