Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-3174

CVE-2024-3174: Google Chrome V8 RCE Vulnerability

CVE-2024-3174 is a remote code execution flaw in Google Chrome's V8 engine that allows attackers to exploit object corruption through malicious HTML pages. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2024-3174 Overview

CVE-2024-3174 is a high-severity vulnerability in the V8 JavaScript engine used by Google Chrome versions prior to 119.0.6045.105. The flaw stems from an inappropriate implementation in V8 that allows object corruption when a victim loads a crafted HTML page. A remote attacker can leverage the issue to manipulate JavaScript objects in memory and potentially achieve code execution within the renderer process. Chromium engineers classified the security severity as High, and the upstream fix shipped in the Chrome Stable channel update on October 31, 2023. The vulnerability requires user interaction, typically visiting an attacker-controlled web page.

Critical Impact

Remote attackers can trigger object corruption in the V8 engine via crafted HTML, enabling renderer compromise and a path to sandbox-bound code execution on systems running unpatched Chrome.

Affected Products

  • Google Chrome versions prior to 119.0.6045.105 on Desktop
  • Chromium-based browsers embedding affected V8 builds
  • Applications shipping with vulnerable V8 components

Discovery Timeline

  • 2024-07-16 - CVE-2024-3174 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-3174

Vulnerability Analysis

The vulnerability resides in V8, the JavaScript and WebAssembly engine that powers Chrome. An inappropriate implementation in object handling allows attacker-controlled JavaScript to drive V8 into a state where internal object representations become inconsistent. This object corruption breaks the integrity guarantees V8 enforces between JavaScript values and their backing memory layout.

Once an attacker corrupts an object, they can typically forge type information, read or write outside intended object boundaries, and pivot toward arbitrary read and write primitives in the renderer process. Exploitation occurs entirely from within a sandboxed renderer, but historically such V8 primitives have been chained with sandbox escapes to reach the host operating system. The issue is tracked alongside [CWE-79] in the NVD record, though the underlying defect is a memory-safety class issue in the engine itself.

Root Cause

The root cause is an inappropriate implementation in V8 that fails to maintain invariants on object state under specific JavaScript execution patterns. Chromium issue #40073339 tracks the underlying defect and the corresponding fix landed for the Chrome 119 release line.

Attack Vector

Exploitation is network-based and requires the victim to load attacker-controlled content. An adversary hosts a crafted HTML page containing JavaScript designed to trigger the corruption path in V8. When a vulnerable Chrome instance renders the page, the malicious script manipulates objects to reach the corrupt state, then escalates to memory disclosure or arbitrary write within the renderer. Common delivery channels include phishing links, malvertising, and compromised third-party content served through iframes.

No authentication is required, and the attacker does not need privileges on the target system. The published exploitation code for this specific issue is not available publicly, and the EPSS data does not indicate active exploitation campaigns. Technical details are available in the Google Chrome Stable Update advisory.

Detection Methods for CVE-2024-3174

Indicators of Compromise

  • Chrome process crashes or renderer termination events referencing V8 with stack frames in object or property handling routines
  • Outbound connections from chrome.exe child renderer processes to uncategorized domains immediately after visiting unfamiliar pages
  • Unexpected child processes spawned by Chrome renderers, which should not occur under normal sandboxing

Detection Strategies

  • Inventory Chrome installations and flag any version below 119.0.6045.105 using endpoint configuration management telemetry
  • Monitor browser process trees for anomalous parent-child relationships originating from Chrome renderer processes
  • Correlate web proxy logs with endpoint browsing activity to identify visits to known malicious or newly registered domains hosting JavaScript-heavy payloads

Monitoring Recommendations

  • Enable verbose Chrome crash reporting and forward crash dumps to a central analysis pipeline for V8-related signatures
  • Ingest browser version telemetry into your SIEM or data lake to maintain continuous patch posture visibility
  • Alert on JavaScript-driven memory pressure spikes within renderer processes that frequently correlate with exploit attempts

How to Mitigate CVE-2024-3174

Immediate Actions Required

  • Update Google Chrome to version 119.0.6045.105 or later on all Windows, macOS, and Linux endpoints
  • Restart Chrome after applying the update to ensure the patched V8 binary is loaded into memory
  • Audit Chromium-based browsers and embedded WebView components in your environment for V8 builds that predate the fix

Patch Information

Google released the fix in the Chrome Stable channel on October 31, 2023, with version 119.0.6045.105 for Windows, Mac, and Linux. Administrators should validate deployment through Chrome Enterprise policies or device management platforms. Refer to the Chrome Stable channel update announcement and Chromium tracker entry for details.

Workarounds

  • Where immediate patching is not feasible, disable JavaScript for untrusted origins through Chrome site settings or enterprise policy
  • Enforce strict site isolation and block execution of JavaScript from unknown advertising networks via DNS or proxy filtering
  • Restrict browsing on sensitive endpoints to a vetted allowlist of business-critical domains until updates are deployed
bash
# Configuration example: enforce minimum Chrome version via enterprise policy on Linux
# /etc/opt/chrome/policies/managed/chrome_version_policy.json
{
  "DefaultJavaScriptSetting": 2,
  "JavaScriptAllowedForUrls": [
    "https://corp.example.com",
    "https://sso.example.com"
  ],
  "BrowserSwitcherEnabled": false,
  "ComponentUpdatesEnabled": true
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne