CVE-2024-5836 Overview
CVE-2024-5836 is an inappropriate implementation flaw in the DevTools component of Google Chrome versions prior to 126.0.6478.54. An attacker who convinces a user to install a malicious Chrome extension can leverage the flaw to execute arbitrary code through a crafted extension. Google classified the Chromium security severity as High. The vulnerability is tracked under [CWE-474] (Use of Function with Inconsistent Implementations) and affects desktop Chrome on all supported platforms, along with Fedora 39 and Fedora 40 Chromium packages.
Critical Impact
A malicious Chrome extension can break out of expected sandbox boundaries via DevTools and execute arbitrary code on the victim system, leading to full compromise of confidentiality, integrity, and availability.
Affected Products
- Google Chrome versions prior to 126.0.6478.54
- Fedora Project Fedora 39
- Fedora Project Fedora 40
Discovery Timeline
- 2024-06-11 - CVE-2024-5836 published to the National Vulnerability Database
- 2025-03-14 - Last updated in the NVD database
Technical Details for CVE-2024-5836
Vulnerability Analysis
The vulnerability resides in Chrome's DevTools subsystem. DevTools exposes privileged APIs that extensions can interact with through the chrome.devtools.* namespace. An inappropriate implementation in this interface allows a malicious extension to escape the intended permission boundary and run arbitrary code outside the extension sandbox. The flaw requires user interaction in the form of installing the malicious extension, which aligns with the UI:R component of the CVSS vector. Once installed, no additional privileges are needed for exploitation. Successful exploitation grants the attacker code execution in a context that can affect arbitrary tabs, exfiltrate browser-managed credentials, and pivot to local system access depending on platform and configuration.
Root Cause
The root cause is an inconsistent or improper implementation in DevTools-facing extension APIs, categorized under [CWE-474]. The component fails to enforce expected isolation between extension-supplied code and privileged DevTools execution contexts. As a result, content provided by the extension can be evaluated with elevated privileges that bypass standard extension sandboxing.
Attack Vector
Exploitation follows an extension-based delivery chain. The attacker authors a Chrome extension containing a crafted payload that targets the vulnerable DevTools code paths. The attacker then convinces the victim to install the extension through social engineering, fraudulent Web Store listings, sideloading instructions, or supply chain compromise of a legitimate extension. Once installed and activated, the extension triggers the DevTools code path and executes arbitrary code on the host. Because Chrome extensions can persist across sessions and auto-update, attackers can also stage the malicious payload after initial review of an otherwise benign extension.
No verified public exploit code is available. See the Chromium Issue Tracker Reference for vendor-side technical detail once access restrictions are lifted.
Detection Methods for CVE-2024-5836
Indicators of Compromise
- Installation of unfamiliar or recently sideloaded Chrome extensions, particularly those requesting the devtools_page manifest field or broad host permissions.
- Chrome child processes spawning unexpected shell, scripting, or LOLBin executables shortly after browser launch.
- Outbound network connections originating from the Chrome process to attacker-controlled domains immediately after extension installation.
- Modifications to the Chrome Extensions directory and Preferences file outside of normal user-initiated install flows.
Detection Strategies
- Inventory installed Chrome extensions across managed endpoints and compare against an allowlist; flag any extension declaring a devtools_page entry in its manifest.
- Hunt for process lineage where chrome.exe (or the platform equivalent) is the parent of interpreters such as powershell.exe, cmd.exe, bash, or wscript.exe.
- Correlate Chrome version telemetry against 126.0.6478.54 to identify unpatched hosts still exposed to extension-driven exploitation.
Monitoring Recommendations
- Forward extension install, update, and removal events from managed browsers to a central logging pipeline for retention and review.
- Monitor enterprise Chrome policies (ExtensionInstallBlocklist, ExtensionInstallAllowlist) for unauthorized changes that could weaken controls.
- Track DNS and proxy logs for domains associated with rogue extension command-and-control infrastructure.
How to Mitigate CVE-2024-5836
Immediate Actions Required
- Update Google Chrome to version 126.0.6478.54 or later on all desktop platforms; restart the browser to apply the patch.
- Apply the corresponding Fedora updates for Fedora 39 and Fedora 40 via dnf update using the package versions referenced in the Fedora package announcements.
- Audit installed Chrome extensions and remove any that are unsigned, sideloaded, or sourced outside the official Chrome Web Store.
Patch Information
Google released the fix in the Chrome Stable channel update documented in the Google Blog Chrome Update. Fedora distributed patched Chromium builds through the Fedora Package Announcement for F39 and the Fedora Package Announcement for F40.
Workarounds
- Enforce an extension allowlist using the ExtensionInstallAllowlist and ExtensionInstallBlocklist enterprise policies to prevent installation of arbitrary extensions.
- Disable Developer Mode for extensions on managed endpoints by setting the DeveloperToolsAvailability policy to restrict DevTools where the business case allows.
- Restrict installation sources to the Chrome Web Store and require administrator approval for new extensions during the patch rollout window.
# Configuration example: enterprise Chrome policy enforcing allowlist-only extensions on Linux
sudo tee /etc/opt/chrome/policies/managed/extension_controls.json > /dev/null <<'EOF'
{
"ExtensionInstallBlocklist": ["*"],
"ExtensionInstallAllowlist": [
"<approved-extension-id-1>",
"<approved-extension-id-2>"
],
"DeveloperToolsAvailability": 2
}
EOF
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
