CVE-2024-5274 Overview
CVE-2024-5274 is a type confusion vulnerability in the V8 JavaScript engine used by Google Chrome versions prior to 125.0.6422.112. A remote attacker can execute arbitrary code inside the Chrome sandbox by serving a crafted HTML page to a victim. The flaw is tracked under [CWE-843] (Access of Resource Using Incompatible Type). CISA added this vulnerability to the Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The bug affects desktop Chrome builds across Windows, macOS, and Linux, including downstream Fedora 39 and 40 packages.
Critical Impact
Remote attackers can achieve arbitrary code execution inside the Chrome sandbox through a single visit to a malicious web page, with confirmed exploitation in the wild.
Affected Products
- Google Chrome prior to 125.0.6422.112
- Fedora 39
- Fedora 40
Discovery Timeline
- 2024-05-28 - CVE-2024-5274 published to NVD
- 2025-10-24 - Last updated in NVD database
Technical Details for CVE-2024-5274
Vulnerability Analysis
The vulnerability is a type confusion issue within V8, Chrome's JavaScript and WebAssembly engine. Type confusion occurs when code allocates or accesses a resource using one type but later operates on it as if it were a different, incompatible type. In a just-in-time (JIT) compiled engine like V8, this class of bug typically allows an attacker to bypass runtime type checks and operate on object internals directly. The result is a powerful primitive for memory corruption that attackers chain into arbitrary read/write and ultimately code execution within the renderer process.
Google classified the Chromium security severity as High. The bug is referenced in Chromium Issue Tracker Entry and addressed in the Google Chrome Update Announcement. CISA confirmed in-the-wild exploitation by adding it to the CISA Known Exploited Vulnerability catalog.
Root Cause
The root cause is improper type enforcement in V8 when handling specific JavaScript object operations. An attacker crafts JavaScript that causes V8 to treat an object as a different type than its actual layout. This mismatch allows out-of-bounds memory access against fields the engine believes are valid for the assumed type. Execution remains confined to the renderer sandbox unless chained with a separate sandbox escape.
Attack Vector
Exploitation requires a victim to load attacker-controlled HTML and JavaScript in Chrome. The attacker hosts a malicious page or injects script into a compromised site. No authentication is required, and user interaction is limited to navigating to the page. Once loaded, the crafted JavaScript triggers the type confusion in V8 and executes arbitrary code inside the renderer.
Verified public exploit code is not available in this dataset. Refer to the Chromium Issue Tracker Entry for technical details once Google unrestricts the report.
Detection Methods for CVE-2024-5274
Indicators of Compromise
- Chrome renderer process crashes referencing V8 or v8::internal frames in crash dumps, particularly when loading untrusted pages.
- Unexpected child processes spawned by chrome.exe or the Chrome Helper (Renderer) process, such as shells or scripting interpreters.
- Outbound network connections from the Chrome renderer process to attacker infrastructure delivering second-stage payloads.
- Browser telemetry showing visits to newly registered domains immediately preceding endpoint anomalies.
Detection Strategies
- Inventory installed Chrome versions across endpoints and flag any build below 125.0.6422.112.
- Hunt for renderer processes executing or writing binaries, scripts, or DLLs to disk, which is anomalous for sandboxed renderers.
- Correlate browser navigation logs with EDR process tree events to identify suspicious post-navigation behavior.
Monitoring Recommendations
- Forward Chrome version data and process telemetry into a centralized analytics platform for continuous version drift checks.
- Monitor CISA KEV catalog updates and align patch SLAs to the federal Binding Operational Directive deadlines.
- Alert on Chrome crash reports clustering around V8 components, which can indicate exploitation attempts.
How to Mitigate CVE-2024-5274
Immediate Actions Required
- Update Google Chrome to version 125.0.6422.112 or later on all Windows, macOS, and Linux endpoints.
- Apply the Fedora package updates referenced in the Fedora Package Announcement and Fedora Security Update Notice.
- Force browser restarts after deployment to ensure patched binaries are loaded into memory.
- Audit Chromium-based applications (Edge, Brave, Opera, Electron apps) that embed V8 and verify they ship a fixed V8 build.
Patch Information
Google released the fix in Chrome Stable channel 125.0.6422.112 for desktop on May 23, 2024. Details are in the Google Chrome Update Announcement. Fedora published corresponding chromium package updates for Fedora 39 and Fedora 40 through the Fedora Updates System.
Workarounds
- No vendor-supplied workaround exists. Patching is the only supported remediation.
- Where patching is delayed, restrict browsing to trusted sites using enterprise web filtering and block newly registered domains.
- Enforce Chrome's site isolation and disable unnecessary JavaScript via enterprise policy on high-risk endpoints until patching completes.
# Verify installed Chrome version on Linux endpoints
google-chrome --version
# Update Chromium on Fedora 39 / 40
sudo dnf upgrade --refresh chromium
# Windows: confirm version via registry
reg query "HKLM\SOFTWARE\Google\Chrome\BLBeacon" /v version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
