CVE-2024-3172 Overview
CVE-2024-3172 is an insufficient data validation vulnerability in the DevTools component of Google Chrome prior to version 121.0.6167.85. A remote attacker who convinces a user to perform specific UI gestures can execute arbitrary code through a crafted HTML page. The flaw is classified under [CWE-20] (Improper Input Validation) and carries a CVSS score of 8.8. Chromium rates the security severity as High. Exploitation requires user interaction, but successful attacks compromise confidentiality, integrity, and availability on the target host.
Critical Impact
Remote arbitrary code execution in the browser process when a user visits a malicious page and performs attacker-directed UI gestures.
Affected Products
- Google Chrome desktop versions prior to 121.0.6167.85
- Chromium-based browsers incorporating the vulnerable DevTools code
- Windows, macOS, and Linux Chrome stable channel builds prior to the January 23, 2024 update
Discovery Timeline
- 2024-07-16 - CVE-2024-3172 published to NVD
- 2025-03-18 - Last updated in NVD database
Technical Details for CVE-2024-3172
Vulnerability Analysis
The vulnerability resides in Chrome DevTools, the developer instrumentation surface bundled with the browser. DevTools accepts data from web content under specific conditions and fails to validate that input before acting on it. An attacker hosts a crafted HTML page and lures the victim into interacting with it. The required UI gestures trick the user into exposing the DevTools context to attacker-controlled content. Once that boundary is crossed, the attacker can execute arbitrary code outside the standard renderer sandbox restrictions.
The issue maps to [CWE-20] Improper Input Validation. DevTools holds elevated privileges relative to ordinary web pages, so any path that lets untrusted input influence its execution carries a high blast radius. The CVSS vector indicates network reachability, low attack complexity, no privileges, and required user interaction.
Root Cause
DevTools code paths did not sufficiently validate data crossing the boundary between web content and the DevTools frontend. Attackers can shape that data to drive DevTools into executing attacker-supplied logic. Detailed technical context is tracked in the Chromium Issue Tracker Entry.
Attack Vector
Delivery is web-based. The attacker hosts a malicious page, then social-engineers the victim into opening DevTools or performing other UI gestures that activate the vulnerable path. No credentials are required. Successful exploitation yields code execution at the privilege level of the browser process. See the Google Chrome Update Announcement for the vendor summary.
No public proof-of-concept or exploit code is currently available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.77% (73.8th percentile).
Detection Methods for CVE-2024-3172
Indicators of Compromise
- Chrome processes spawning unexpected child processes such as cmd.exe, powershell.exe, or /bin/sh shortly after visiting an unfamiliar site
- Outbound network connections originating from the browser to attacker-controlled hosts following DevTools interaction
- Browser telemetry showing DevTools opening on pages that should not trigger developer workflows
Detection Strategies
- Inventory Chrome versions across managed endpoints and flag any build below 121.0.6167.85
- Hunt for anomalous process trees where chrome.exe is the parent of script interpreters or LOLBins
- Correlate web proxy logs with endpoint process activity to identify users redirected to pages that prompt DevTools usage
Monitoring Recommendations
- Forward Chrome update status and browser process telemetry to your central logging platform
- Alert on script interpreter or shell execution chained from browser processes within short time windows
- Track DevTools usage on non-developer endpoints, since legitimate activations are rare in most enterprise populations
How to Mitigate CVE-2024-3172
Immediate Actions Required
- Update Google Chrome to version 121.0.6167.85 or later on all Windows, macOS, and Linux endpoints
- Restart browser sessions after deployment so the patched binary is loaded
- Audit Chromium-based browsers and embedded Chromium runtimes for the same vulnerable DevTools code
Patch Information
Google released the fix in the Chrome stable channel update on January 23, 2024. Apply build 121.0.6167.85 or later. Full vendor details are in the Google Chrome Update Announcement. The underlying issue is tracked at the Chromium Issue Tracker Entry.
Workarounds
- Enforce automatic Chrome updates through enterprise policy until all endpoints report a patched build
- Train users to avoid opening DevTools or following gesture prompts on untrusted pages
- Restrict navigation to high-risk sites using web filtering or DNS controls while patch rollout completes
# Verify the installed Chrome version on managed endpoints
google-chrome --version
# Expected output: Google Chrome 121.0.6167.85 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
