CVE-2024-0519: Google Chrome V8 RCE Vulnerability

CVE-2024-0519 Overview

CVE-2024-0519 is an out-of-bounds memory access vulnerability in the V8 JavaScript engine used by Google Chrome versions prior to 120.0.6099.224. A remote attacker can exploit the flaw by serving a crafted HTML page, potentially triggering heap corruption in the renderer process. Google rated the Chromium security severity as High. The vulnerability is tracked under [CWE-787] (Out-of-Bounds Write) and [CWE-125] (Out-of-Bounds Read). CISA added CVE-2024-0519 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. The flaw also affects downstream consumers of Chromium and V8, including Fedora 38, Fedora 39, and Couchbase Server.

Critical Impact

Remote attackers can trigger heap corruption in V8 through a crafted web page, enabling potential arbitrary code execution within the Chrome renderer. CISA confirmed active exploitation.

Affected Products

• Google Chrome prior to 120.0.6099.224
• Fedora Project Fedora 38 and 39
• Couchbase Server

Discovery Timeline

• 2024-01-16 - CVE-2024-0519 published to NVD following Google's stable channel update
• 2025-10-24 - Last updated in NVD database

Technical Details for CVE-2024-0519

Vulnerability Analysis

The vulnerability resides in V8, the open-source JavaScript and WebAssembly engine that ships with Chromium-based browsers. V8 compiles JavaScript to native code through its TurboFan and Maglev optimizing pipelines. Out-of-bounds memory access in V8 typically arises when the engine reads or writes past the bounds of a typed array, object backing store, or internal buffer. The flaw is reachable from any JavaScript context, so a single visit to a malicious page is sufficient to invoke the vulnerable code path. Because V8 operates on memory allocated within the renderer's heap, an out-of-bounds access can corrupt adjacent object metadata, pointers, and inline caches. Attackers leverage this primitive to construct address leaks and arbitrary read/write capabilities inside the sandboxed renderer.

Root Cause

The root cause is improper bounds validation within V8 internal routines, leading to memory access outside an allocated region. The defect maps to both [CWE-787] for out-of-bounds writes and [CWE-125] for out-of-bounds reads. Heap corruption in V8 commonly stems from incorrect type assumptions, missing range checks during optimization, or stale bounds after array transitions.

Attack Vector

Exploitation requires the victim to load attacker-controlled HTML and JavaScript in a vulnerable Chrome build. The attacker hosts a crafted page that triggers the vulnerable V8 code path, corrupts the heap, and chains the primitive into renderer code execution. Pairing this bug with a sandbox escape would yield code execution outside the renderer. Specific exploitation details have not been publicly released by Google. Refer to the Chrome Bug Report #1517354 for tracking and the Google Chrome Update Announcement for vendor information.

Detection Methods for CVE-2024-0519

Indicators of Compromise

• Chrome processes terminating unexpectedly with renderer crash signatures referencing V8 heap or array out-of-bounds errors.
• Outbound connections from chrome.exe child renderer processes to untrusted domains immediately after browsing activity.
• Unexpected child processes spawned by Chrome renderer or browser processes, which may indicate a successful sandbox escape chain.
• Endpoints running Chrome builds older than 120.0.6099.224 identified through software inventory scans.

Detection Strategies

• Inventory installed Chrome versions across the fleet and flag any host running a build below 120.0.6099.224.
• Monitor renderer crash telemetry and Windows Error Reporting events tagged to V8 modules for spikes.
• Hunt for browser-initiated process trees that deviate from baseline, such as chrome.exe spawning cmd.exe, powershell.exe, or shell utilities.
• Correlate proxy and DNS logs for users visiting low-reputation domains shortly before browser crashes.

Monitoring Recommendations

• Track CISA KEV updates and Chrome stable channel announcements to prioritize emergency patching cycles.
• Enable browser telemetry forwarding to a central SIEM for crash, extension, and download event analytics.
• Alert on Chrome installs that fall behind the enterprise-defined patch SLA window.

How to Mitigate CVE-2024-0519

Immediate Actions Required

• Update Google Chrome to version 120.0.6099.224 or later on all Windows, macOS, and Linux endpoints.
• Apply Fedora package updates referenced in the Fedora Package Announcement for Fedora 38 and 39.
• Patch Couchbase Server installations per the Couchbase Security Alerts since the product embeds an affected V8 component.
• Restart browsers and dependent services after applying updates to ensure the patched V8 binary is loaded.

Patch Information

Google released the fix in the Chrome Stable channel update on January 16, 2024, advancing Windows builds to 120.0.6099.224/225 and Mac/Linux to 120.0.6099.224. Distribution-specific updates are tracked through the Fedora Package Announcement. CISA listing details are available in the CISA Known Exploited Vulnerabilities Catalog.

Workarounds

• Disable JavaScript execution for untrusted sites via Chrome enterprise policy until patches are deployed.
• Enforce site isolation and strict sandboxing through managed browser policies to limit renderer compromise impact.
• Restrict browsing to allow-listed domains for high-value endpoints that cannot be updated immediately.
• Block known malicious infrastructure at the web proxy or secure web gateway based on threat intelligence feeds.

# Configuration example: enforce minimum Chrome version via Group Policy on Windows
# Registry path for Chrome Enterprise managed updates
reg add "HKLM\Software\Policies\Google\Update" /v "UpdateDefault" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Policies\Google\Update" /v "AutoUpdateCheckPeriodMinutes" /t REG_DWORD /d 60 /f

# Verify installed Chrome version on Linux endpoints
google-chrome --version | awk '{print $3}'

# Fedora package update
sudo dnf update -y chromium