Cyber Resilience

CVE-2024-6778

HighPublic PoC

Published: 16 July 2024

Published
16 July 2024
Modified
26 December 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.1526 94.8th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-6778 is a high-severity Race Condition (CWE-362) vulnerability in Google Chrome. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 5.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-6778 is a race condition vulnerability in DevTools within Google Chrome versions prior to 126.0.6478.182. The flaw, tracked under CWE-362 and CWE-366, resides in the handling of extension interactions with privileged pages and carries a CVSS 3.1 score of 7.5.

An attacker who persuades a user to install a maliciously crafted Chrome extension can exploit the race to inject arbitrary scripts or HTML into a privileged page. Successful exploitation grants the attacker high impact on confidentiality, integrity, and availability without requiring elevated privileges beyond the extension installation step.

Chrome stable channel updates released on 16 July 2024 address the issue by advancing the browser to version 126.0.6478.182, as noted in the corresponding Chromium release notes and issue tracker entries. The EPSS score remains flat at 0.1526 with no reported real-world exploitation.

EU & UK References

Vulnerability details

Race in DevTools in Google Chrome prior to 126.0.6478.182 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: High)

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 126.0.6478.182

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-362

Accurate timestamps from internal clocks enable detection of race conditions by providing reliable event ordering in audit logs.

addresses: CWE-362

Coordination of concurrent security activities reduces the probability that shared resources will be accessed simultaneously without proper synchronization.

References