Cyber Resilience

CVE-2024-9122

HighPublic PoC

Published: 25 September 2024

Published
25 September 2024
Modified
02 January 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.1501 94.7th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-9122 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 5.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-9122 is a type confusion vulnerability in the V8 JavaScript engine within Google Chrome versions prior to 129.0.6668.70. The flaw, assigned CWE-843, permits out-of-bounds memory access when a victim renders a specially crafted HTML page, and it carries a CVSS 3.1 base score of 8.8 reflecting high impact on confidentiality, integrity, and availability.

A remote attacker can exploit the issue without authentication by serving the malicious page to a target user; successful exploitation may allow arbitrary memory reads or writes that could lead to code execution or browser process compromise.

The referenced Chrome stable-channel update and Chromium issue tracker entry indicate that the vulnerability is resolved by upgrading to version 129.0.6668.70 or later. The associated EPSS score remains flat at 0.1501 with no reported real-world exploitation activity.

EU & UK References

Vulnerability details

Type Confusion in V8 in Google Chrome prior to 129.0.6668.70 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 129.0.6668.70

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References