CVE-2024-0806 Overview
CVE-2024-0806 is a use-after-free vulnerability [CWE-416] in the Passwords component of Google Chrome prior to version 121.0.6167.85. A remote attacker can trigger heap corruption through specific user interface interactions, potentially leading to arbitrary code execution within the renderer process. The flaw affects desktop builds of Chrome across all major platforms, as well as Fedora 38 and Fedora 39 distributions that ship the affected Chromium packages.
Critical Impact
Successful exploitation can result in heap corruption and remote code execution in the browser context, compromising user credentials and enabling further attacker activity on the host.
Affected Products
- Google Chrome versions prior to 121.0.6167.85
- Fedora 38 (Chromium package)
- Fedora 39 (Chromium package)
Discovery Timeline
- 2024-01-24 - CVE-2024-0806 published to the National Vulnerability Database (NVD)
- 2024-01-23 - Google releases stable channel update for desktop addressing the issue
- 2025-06-20 - Last updated in NVD database
Technical Details for CVE-2024-0806
Vulnerability Analysis
The vulnerability resides in the Passwords subsystem of Google Chrome, which manages saved credentials and autofill behavior. A use-after-free [CWE-416] condition arises when a specific sequence of UI interactions causes an object to be freed while a reference to it is still retained. Subsequent access to the dangling pointer leads to heap corruption. An attacker can leverage this corruption to manipulate heap metadata or adjacent objects and achieve arbitrary code execution within the renderer or browser process.
Exploitation requires user interaction, typically by enticing the victim to visit a crafted page and perform UI actions that trigger the unsafe object lifetime. The attack is remote and does not require prior authentication.
Root Cause
The root cause is improper object lifetime management within the Passwords UI code path. An object is released before all consuming code paths complete their references, leaving a stale pointer accessible to the renderer. This violates the ownership guarantees expected by Chromium's memory management model.
Attack Vector
The attack vector is network-based. An attacker hosts a malicious page that prompts the user into specific Password-manager UI interactions. Once the freed object is reused, the attacker controls the contents of the released memory region and pivots toward code execution. Reference details are available in the Chromium Bug Report #1505176 and the Google Chrome Update Announcement.
Detection Methods for CVE-2024-0806
Indicators of Compromise
- Chrome renderer or browser process crashes correlating with chrome.dll or libchrome.so access violations on heap regions
- Unexpected child processes spawned by chrome.exe following visits to untrusted password-manager-related pages
- Outbound network connections initiated by Chrome processes to unfamiliar infrastructure shortly after rendering attacker-controlled content
Detection Strategies
- Monitor Chrome version telemetry across managed endpoints to flag any host running a build older than 121.0.6167.85
- Inspect browser crash reports for heap-corruption signatures within the Passwords component code paths
- Correlate web proxy logs with endpoint process telemetry to identify users visiting suspicious sites immediately before browser crashes
Monitoring Recommendations
- Deploy EDR rules that alert on anomalous child-process creation from chrome.exe, particularly shells or scripting hosts
- Track DNS and HTTP telemetry for known credential-phishing and exploit-kit infrastructure targeting browsers
- Centralize Chrome stability reports and crash dumps for retrospective hunting against use-after-free indicators
How to Mitigate CVE-2024-0806
Immediate Actions Required
- Update Google Chrome to version 121.0.6167.85 or later on all Windows, macOS, and Linux endpoints
- Apply the Fedora chromium package updates referenced in the Fedora package announcements for Fedora 38 and Fedora 39
- Force-restart Chrome after deployment so that the patched binary is loaded into memory
- Audit enterprise update policies to confirm Chrome auto-update is not disabled on managed hosts
Patch Information
Google addressed the vulnerability in the stable channel update 121.0.6167.85 for desktop, documented in the Google Chrome Update Announcement. Fedora users should install the updated Chromium packages described in the Fedora 38 advisory and Fedora 39 advisory.
Workarounds
- Disable the Chrome built-in password manager via enterprise policy until patching is complete
- Restrict browsing to trusted sites through web filtering or DNS policy on unpatched hosts
- Enable Site Isolation and Enhanced Safe Browsing to reduce the impact of renderer-level exploitation
# Verify the installed Chrome version on Linux endpoints
google-chrome --version
# Update Chromium on Fedora hosts
sudo dnf upgrade --refresh chromium
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
