CVE-2024-5159: Google Chrome Buffer Overflow Vulnerability

CVE-2024-5159 Overview

CVE-2024-5159 is a heap buffer overflow vulnerability in ANGLE (Almost Native Graphics Layer Engine), the graphics translation layer used by Google Chrome to map OpenGL ES API calls to native hardware-supported APIs. The flaw affects Google Chrome versions prior to 125.0.6422.76 and allows a remote attacker to perform an out-of-bounds memory read by serving a crafted HTML page to a victim. The issue is classified under CWE-125 (Out-of-Bounds Read). Chromium rates this issue with High security severity, and the NVD assigns a CVSS 3.1 base score of 8.8.

Critical Impact
A remote attacker can trigger out-of-bounds heap memory reads in the rendering process by enticing a user to visit a malicious web page, potentially leading to information disclosure and undermining browser sandbox guarantees.

Affected Products

Google Chrome prior to 125.0.6422.76
Fedora 39
Fedora 40

Discovery Timeline

2024-05-22 - CVE-2024-5159 published to NVD
2024-12-19 - Last updated in NVD database

Technical Details for CVE-2024-5159

Vulnerability Analysis

The vulnerability resides in ANGLE, the component responsible for translating WebGL and OpenGL ES calls into the native graphics API of the host system (Direct3D, Metal, or Vulkan). ANGLE processes attacker-influenced inputs from JavaScript and WebGL contexts within the renderer process. A crafted HTML page can cause ANGLE to read memory beyond the bounds of a heap-allocated buffer.

An out-of-bounds read in this context exposes adjacent heap memory contents to the renderer. Attackers commonly chain such reads with other primitives to disclose pointers, bypass Address Space Layout Randomization (ASLR), and stage follow-on exploitation against the Chrome renderer sandbox. The attack requires user interaction, specifically navigation to a malicious or compromised site.

Root Cause

The root cause is a heap buffer overflow leading to an out-of-bounds read inside ANGLE. The component fails to enforce correct boundary checks when processing certain graphics API inputs, allowing memory access past the allocated buffer. The defect is tracked in the Chromium Issue Tracker.

Attack Vector

Exploitation occurs over the network. An attacker hosts a crafted HTML page containing malicious WebGL or graphics-related content. When a victim visits the page in a vulnerable Chrome build, the renderer invokes ANGLE code paths that trigger the out-of-bounds read. No authentication is required, but user interaction (visiting the page) is necessary. The vulnerability mechanism is described in prose; no verified public exploit code is available. See the Google Chrome Update Announcement for vendor details.

Detection Methods for CVE-2024-5159

Indicators of Compromise

Chrome renderer process crashes or unexpected terminations correlated with visits to untrusted web pages containing WebGL content.
Browser telemetry showing chrome.exe or the renderer child process executing version strings older than 125.0.6422.76.
Outbound connections from endpoints to newly registered or low-reputation domains immediately preceding renderer crashes.

Detection Strategies

Inventory installed Chrome versions across the fleet and flag any build prior to 125.0.6422.76 as vulnerable.
Monitor endpoint event logs for repeated chrome.exe renderer crash signatures (e.g., WerFault entries referencing ANGLE modules such as libGLESv2.dll).
Correlate web proxy logs with crash events to identify URLs serving suspicious WebGL or shader content.

Monitoring Recommendations

Enable browser version reporting through enterprise management (Chrome Browser Cloud Management) and alert on out-of-date installs.
Ingest endpoint and proxy telemetry into a centralized data lake to correlate browsing activity with process anomalies.
Track Fedora package update status on Linux endpoints via dnf audit logs to confirm chromium package patches are applied.

How to Mitigate CVE-2024-5159

Immediate Actions Required

Update Google Chrome to version 125.0.6422.76 or later on all Windows, macOS, and Linux endpoints.
Apply the corresponding Fedora chromium package updates referenced in the Fedora 39 advisory and Fedora 40 advisory.
Force-restart Chrome browsers after deployment to ensure the patched binary is loaded.

Patch Information

Google released Chrome Stable channel version 125.0.6422.76 for Windows, Mac, and Linux on May 21, 2024, addressing CVE-2024-5159. Fedora Project published updated chromium packages for Fedora 39 and Fedora 40. Refer to the Google Chrome Update Announcement for the full advisory.

Workarounds

Disable WebGL via the chrome://flags interface or enterprise policy HardwareAccelerationModeEnabled=false as a temporary measure where patching is delayed.
Restrict browsing to trusted sites using enterprise URL allow-lists until patches are deployed.
Deploy Chrome enterprise policies that enforce automatic updates so future ANGLE fixes apply without user action.

bash

# Configuration example: enforce minimum Chrome version via Group Policy (Windows)
# Registry path: HKLM\Software\Policies\Google\Chrome
reg add "HKLM\Software\Policies\Google\Chrome" /v TargetVersionPrefix /t REG_SZ /d "125.0.6422.76" /f
reg add "HKLM\Software\Policies\Google\Chrome" /v ComponentUpdatesEnabled /t REG_DWORD /d 1 /f

# Fedora: update chromium package
sudo dnf upgrade --refresh chromium