Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-6772

CVE-2024-6772: Google Chrome V8 RCE Vulnerability

CVE-2024-6772 is a remote code execution vulnerability in Google Chrome's V8 engine that allows attackers to perform out of bounds memory access via crafted HTML. This post covers technical details, affected versions, and patches.

Published:

CVE-2024-6772 Overview

CVE-2024-6772 is a high-severity vulnerability affecting Google Chrome's V8 JavaScript engine. The flaw stems from an inappropriate implementation that allows remote attackers to perform out-of-bounds memory access through specially crafted HTML pages. This vulnerability enables attackers to potentially read or write memory outside of intended boundaries, which could lead to information disclosure, code execution, or browser crashes.

Critical Impact

Remote attackers can exploit this V8 engine flaw to perform out-of-bounds memory access, potentially leading to arbitrary code execution or sensitive information disclosure when users visit malicious web pages.

Affected Products

  • Google Chrome versions prior to 126.0.6478.182
  • Chromium-based browsers using vulnerable V8 engine versions
  • All platforms running affected Chrome versions (Windows, macOS, Linux)

Discovery Timeline

  • 2024-07-16 - CVE-2024-6772 published to NVD
  • 2024-12-26 - Last updated in NVD database

Technical Details for CVE-2024-6772

Vulnerability Analysis

This vulnerability exists in the V8 JavaScript engine, which is Chrome's high-performance JavaScript and WebAssembly execution environment. The inappropriate implementation allows attackers to trigger out-of-bounds memory access conditions through carefully crafted JavaScript code embedded in malicious HTML pages.

V8 performs just-in-time (JIT) compilation to optimize JavaScript execution performance. The vulnerability appears to be related to improper handling of certain operations that can lead to memory access beyond allocated buffer boundaries. This type of flaw (CWE-787: Out-of-bounds Write) can be particularly dangerous as it may allow attackers to corrupt adjacent memory regions, potentially hijacking program control flow.

The vulnerability requires user interaction—specifically, a victim must navigate to a malicious web page containing the exploit code. Once triggered, the out-of-bounds access could allow attackers to read sensitive data from browser memory or potentially achieve arbitrary code execution within the browser's sandbox.

Root Cause

The root cause is an inappropriate implementation within the V8 JavaScript engine that fails to properly validate memory boundaries during certain operations. This implementation flaw falls under CWE-787 (Out-of-bounds Write) and CWE-358 (Improperly Implemented Security Check for Standard), indicating that security checks were either missing or improperly implemented in the affected code paths.

Attack Vector

The attack vector is network-based and requires user interaction. An attacker must craft a malicious HTML page containing JavaScript code designed to trigger the V8 vulnerability. The attack scenario typically involves:

  1. Attacker hosts or injects malicious JavaScript into a web page
  2. Victim navigates to the compromised page using a vulnerable Chrome version
  3. The malicious JavaScript triggers the out-of-bounds memory access
  4. Attacker potentially achieves code execution or data exfiltration within the browser context

The vulnerability is exploitable remotely without requiring authentication, though it does require convincing a user to visit the attacker-controlled content. Technical details regarding specific exploitation techniques can be found in the Chromium Issue Tracker #346597059.

Detection Methods for CVE-2024-6772

Indicators of Compromise

  • Unusual browser crashes or instability when visiting specific web pages
  • Chrome crash reports indicating V8-related memory access violations
  • Browser process spawning unexpected child processes or network connections
  • Anomalous JavaScript execution patterns in browser debugging logs

Detection Strategies

  • Monitor browser version inventory to identify systems running Chrome versions prior to 126.0.6478.182
  • Implement endpoint detection rules to identify Chrome crash dumps with V8-related memory corruption signatures
  • Deploy network-based detection for known malicious JavaScript patterns targeting V8 vulnerabilities
  • Use browser telemetry to identify unusual rendering or script execution behaviors

Monitoring Recommendations

  • Enable Chrome's built-in crash reporting and review for V8-related memory violations
  • Monitor endpoint security solutions for browser exploitation attempt alerts
  • Track security advisories from the Google Chrome Stable Update channel
  • Implement centralized logging for browser security events across the enterprise

How to Mitigate CVE-2024-6772

Immediate Actions Required

  • Update Google Chrome to version 126.0.6478.182 or later immediately
  • Enable automatic Chrome updates to ensure timely security patches
  • Audit all systems for Chrome installations and enforce version compliance
  • Consider restricting access to untrusted websites until patching is complete

Patch Information

Google has released a security update addressing this vulnerability in Chrome version 126.0.6478.182. Organizations should prioritize updating all Chrome installations across their environment. The patch details are available in the Google Chrome Stable Channel Update announcement.

For enterprise deployments, administrators can use Chrome's enterprise management features to enforce updates and verify compliance across managed devices.

Workarounds

  • Disable JavaScript execution via Chrome settings as a temporary measure (note: this significantly impacts web functionality)
  • Use browser isolation technologies to contain potential exploitation attempts
  • Implement web filtering to block access to untrusted or newly registered domains
  • Consider using alternative browsers temporarily if immediate patching is not feasible
bash
# Verify Chrome version on Linux/macOS
google-chrome --version
# Expected output should show 126.0.6478.182 or later

# For enterprise deployments, check Chrome policies
chrome://policy

# Force Chrome update check
# Navigate to: chrome://settings/help
# Or use command line on Linux:
google-chrome --check-for-update-interval=1

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne