CVE-2024-1674 Overview
CVE-2024-1674 is a navigation handling flaw in Google Chrome versions prior to 122.0.6261.57. The vulnerability allows a remote attacker to bypass navigation restrictions by serving a crafted HTML page to a target browser. Google classified the issue under the Chromium security severity rating of Medium, while the National Vulnerability Database scored it as High due to the network attack surface and broad impact on confidentiality, integrity, and availability. The flaw affects Google Chrome on all supported desktop platforms and downstream Fedora 38 and Fedora 39 packages that ship Chromium-based builds.
Critical Impact
A remote attacker can bypass browser navigation restrictions through a crafted web page, enabling unauthorized cross-origin actions and undermining same-origin browsing protections.
Affected Products
- Google Chrome versions prior to 122.0.6261.57
- Fedora 38 Chromium packages
- Fedora 39 Chromium packages
Discovery Timeline
- 2024-02-20 - Google releases Stable Channel update for Desktop addressing the issue
- 2024-02-21 - CVE-2024-1674 published to the National Vulnerability Database
- 2024-12-04 - Last updated in NVD database
Technical Details for CVE-2024-1674
Vulnerability Analysis
The issue is an inappropriate implementation in the Navigation component of the Chromium engine. Navigation logic enforces security boundaries between origins, tabs, and frame contexts. When that logic is implemented incorrectly, attackers can trigger navigations that should otherwise be blocked or constrained by the browser's security model. Google describes the impact as a bypass of navigation restrictions, which typically encompasses behaviors such as URL spoofing, cross-origin information disclosure, or unintended interaction between privileged and unprivileged browsing surfaces. The vulnerability requires user interaction, since the victim must visit or interact with attacker-controlled HTML content. No authentication is required, and the attack is delivered entirely over the network through standard web traffic.
Root Cause
The root cause lies in how the Chromium Navigation stack validates or sequences navigation events. Improper enforcement allows a crafted HTML document to drive the browser into a state where restriction checks are not applied as intended. The advisory is tagged NVD-CWE-noinfo because Google has not disclosed the specific weakness class. The patch landed in Chromium issue tracker entry 40095183 and shipped in Chrome 122.0.6261.57.
Attack Vector
Exploitation requires a victim to load attacker-controlled HTML, typically through a phishing link, a malicious advertisement, or a compromised website. Once rendered, the crafted page triggers the flawed navigation path to evade browser restrictions. The vulnerability manifests during navigation handling within the rendering process. Detailed technical mechanics are not publicly available because the Chromium issue tracker entry remains restricted. See the Chromium Issue Tracker Entry and the Chrome Releases Blog Update for vendor information.
Detection Methods for CVE-2024-1674
Indicators of Compromise
- Browser process activity navigating to unexpected origins immediately after rendering an untrusted page
- Outbound HTTP/HTTPS requests to attacker-controlled domains following user interaction with phishing content
- Chrome installations reporting versions earlier than 122.0.6261.57 in asset inventories
Detection Strategies
- Inventory all endpoints running Chrome and flag versions below 122.0.6261.57 for remediation
- Correlate browser telemetry with proxy and DNS logs to identify navigations toward newly registered or low-reputation domains
- Monitor for renderer process anomalies, including unexpected child process spawning following web content rendering
Monitoring Recommendations
- Ingest browser version telemetry into a centralized logging or SIEM platform to track patch compliance
- Enable web proxy URL categorization and block access to known malicious or uncategorized sites
- Alert on user reports of unexpected redirects, URL bar inconsistencies, or unsolicited downloads
How to Mitigate CVE-2024-1674
Immediate Actions Required
- Update Google Chrome to version 122.0.6261.57 or later on all managed endpoints
- Apply the corresponding Fedora 38 and Fedora 39 Chromium package updates from the Fedora Package Announcement
- Restart browser sessions after the update so that the patched binary is loaded into memory
- Verify enterprise auto-update policies are enforcing the patched version without delay
Patch Information
Google addressed the flaw in the Stable Channel desktop release 122.0.6261.57 for Windows, macOS, and Linux. Refer to the Chrome Releases Blog Update for the full advisory and channel rollout details. Fedora shipped corresponding Chromium updates for Fedora 38 and Fedora 39.
Workarounds
- Restrict user navigation to trusted websites through enterprise web filtering until patches are deployed
- Enforce Chrome enterprise policies that disable execution of untrusted extensions and limit risky web features
- Train users to avoid clicking links from unsolicited messages and to report suspicious redirects
# Verify the installed Chrome version on Linux endpoints
google-chrome --version
# Update Chromium on Fedora systems
sudo dnf update -y chromium
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
