CVE-2024-5844: Google Chrome Buffer Overflow Vulnerability

CVE-2024-5844 Overview

CVE-2024-5844 is a heap buffer overflow vulnerability in the Tab Strip component of Google Chrome prior to version 126.0.6478.54. A remote attacker can trigger an out-of-bounds memory read by serving a crafted HTML page to a target user. The flaw is categorized under [CWE-787] (Out-of-bounds Write) in the National Vulnerability Database, though the observable impact described by Google is an out-of-bounds read. The vulnerability affects Google Chrome on all supported desktop platforms and the Chromium-based packages distributed through Fedora 39 and Fedora 40.

Critical Impact

Successful exploitation can lead to memory disclosure, browser process compromise, and potential remote code execution chained with a sandbox escape, requiring only that the user visit a malicious web page.

Affected Products

• Google Chrome versions prior to 126.0.6478.54
• Fedora Project Fedora 39 (Chromium package)
• Fedora Project Fedora 40 (Chromium package)

Discovery Timeline

• 2024-06-11 - CVE-2024-5844 published to the National Vulnerability Database
• 2024-06 - Google releases Chrome Stable Channel update 126.0.6478.54 containing the fix
• 2026-06-17 - Last updated in the NVD database

Technical Details for CVE-2024-5844

Vulnerability Analysis

The vulnerability resides in the Tab Strip user interface component, which renders and manages the row of browser tabs. Tab Strip handles tab creation, reordering, dragging, and closing operations, all of which involve dynamic memory allocations on the heap. A heap buffer overflow in this code path allows attacker-influenced input to drive a memory read beyond the boundaries of an allocated buffer.

The issue is reachable via a crafted HTML page, indicating that web content can manipulate browser state (such as opening, closing, or rearranging tabs through scripting, window APIs, or DOM events) in a way that triggers the out-of-bounds access. The flaw requires user interaction — the victim must load the malicious page — but no privileges or prior authentication are needed.

Root Cause

The root cause is improper validation of buffer bounds when Tab Strip accesses heap-allocated memory associated with tab state. When the attacker-controlled HTML drives Tab Strip into a state where indices or offsets exceed the allocated region, the read crosses into adjacent heap memory. [CWE-787] tracking in NVD reflects the underlying memory safety defect, while the public Chromium advisory characterizes the visible symptom as an out-of-bounds read.

Attack Vector

Exploitation is performed entirely over the network. An attacker hosts a crafted HTML page or injects malicious content into a site the victim visits. When the page is rendered, scripted interactions with the Tab Strip cause the out-of-bounds memory access. The disclosed bytes can reveal heap layout, pointers, and other process memory that aid in bypassing Address Space Layout Randomization (ASLR) and chaining additional exploits. Refer to the Chromium Issue Tracker Entry and the Google Chrome Stable Update for additional technical context.

Detection Methods for CVE-2024-5844

Indicators of Compromise

• Chrome browser processes crashing or terminating unexpectedly while loading specific web pages, with crash dumps referencing Tab Strip components.
• Endpoints running Chrome versions earlier than 126.0.6478.54 accessing untrusted or newly registered domains hosting unusual HTML content.
• Unexpected child process creation from chrome.exe following navigation to attacker-controlled URLs.

Detection Strategies

• Inventory installed browser versions across the fleet and flag any Chrome or Chromium build older than 126.0.6478.54 as vulnerable.
• Monitor browser telemetry and crash reports for renderer or browser-process faults that correlate with web navigation events.
• Use web proxy and DNS logs to identify users visiting domains associated with known exploit kits or malvertising campaigns targeting Chromium memory bugs.

Monitoring Recommendations

• Centralize browser version data and crash telemetry in your SIEM or data lake to correlate exploitation attempts with user activity.
• Alert on Chrome process anomalies such as unexpected memory growth, abnormal child processes, or signed binary loads from unusual paths.
• Track Fedora package update status on Linux endpoints to confirm Chromium has been refreshed to a patched build.

How to Mitigate CVE-2024-5844

Immediate Actions Required

• Update Google Chrome to version 126.0.6478.54 or later on all Windows, macOS, and Linux endpoints.
• Apply the Fedora Chromium package updates referenced in the Fedora Package Announcement and the companion advisory.
• Enforce automatic browser updates through enterprise policy to close the exposure window for future Chromium vulnerabilities.
• Restart Chrome after updating so the new binaries are loaded into memory.

Patch Information

Google addressed CVE-2024-5844 in the Chrome Stable Channel release 126.0.6478.54 and later. Details are available in the Google Chrome Stable Update advisory. Fedora 39 and Fedora 40 users should install the updated Chromium packages distributed through the Fedora package announcement channel.

Workarounds

• Restrict browsing on unpatched endpoints to a trusted allowlist of internal applications until Chrome can be updated.
• Use enterprise web filtering to block newly registered domains and known malicious infrastructure.
• Disable or constrain risky web features (such as JavaScript execution on untrusted origins) through enterprise browser policy where operationally feasible.

# Verify Chrome version on Linux endpoints
google-chrome --version

# Update Chromium on Fedora 39/40
sudo dnf upgrade --refresh chromium

# Windows: confirm patched build via registry
reg query "HKLM\SOFTWARE\Google\Update\Clients\{8A69D345-D564-463C-AFF1-A69D9E530F96}" /v pv