CVE-2024-6990 Overview
CVE-2024-6990 is an uninitialized memory use vulnerability in the Dawn component of Google Chrome on Android. Dawn is Chrome's cross-platform implementation of the WebGPU standard. Versions of Chrome prior to 127.0.6533.88 are affected. A remote attacker can serve a crafted HTML page that triggers out-of-bounds memory access through uninitialized variable use. Chromium rates the security severity as Critical. The flaw maps to [CWE-457: Use of Uninitialized Variable] and [CWE-908: Use of Uninitialized Resource]. User interaction is required, since the victim must load attacker-controlled web content.
Critical Impact
Remote attackers can exploit uninitialized memory in Dawn via a crafted HTML page to achieve out-of-bounds memory access in the Chrome renderer process on Android.
Affected Products
- Google Chrome on Android prior to 127.0.6533.88
- Chromium-based browsers shipping the affected Dawn/WebGPU implementation
- Embedded WebView components that bundle vulnerable Chromium builds
Discovery Timeline
- 2024-07-30 - Google releases stable channel update addressing the issue
- 2024-08-01 - CVE-2024-6990 published to NVD
- 2024-08-16 - Last updated in NVD database
Technical Details for CVE-2024-6990
Vulnerability Analysis
The vulnerability resides in Dawn, the WebGPU implementation embedded in Chrome. Dawn translates WebGPU API calls from JavaScript into native graphics commands for the underlying GPU backend. The defect involves use of an uninitialized variable or resource during this translation path. When the uninitialized value is consumed as an index, pointer, or size parameter, it leads to out-of-bounds memory access. The flaw is reachable from any web origin, which removes authentication barriers for exploitation. Successful exploitation can compromise renderer-process confidentiality, integrity, and availability.
Root Cause
The root cause is improper initialization of memory or object state inside Dawn before the value is consumed by subsequent logic. Both [CWE-457] and [CWE-908] describe scenarios where uninitialized storage carries residual data from prior allocations. When that residual data is interpreted as a buffer length, offset, or descriptor field, downstream code performs reads or writes outside intended bounds. Details are tracked in the Chromium Issue Tracker entry.
Attack Vector
Exploitation requires a victim to visit a malicious or compromised website with a vulnerable Chrome build. The attacker delivers a crafted HTML page that invokes specific WebGPU API sequences through JavaScript. These calls drive Dawn into the code path that uses uninitialized data. The result is out-of-bounds memory access within the renderer sandbox. An attacker can chain this primitive with a sandbox escape to achieve broader impact. See the Google Chrome update blog post for vendor confirmation. No public proof-of-concept is currently available, and the vulnerability is not listed in CISA KEV.
Detection Methods for CVE-2024-6990
Indicators of Compromise
- Chrome renderer process crashes on Android devices correlated with WebGPU activity or chrome://gpu features
- Outbound connections from mobile endpoints to untrusted domains immediately preceding renderer crash signals
- Browser telemetry showing repeated visits to pages invoking unusual WebGPU shader or buffer allocation patterns
Detection Strategies
- Inventory Chrome installations on Android fleets and flag any build below 127.0.6533.88
- Monitor mobile EDR telemetry for Chrome process abnormal terminations and child process spawning
- Inspect web proxy logs for HTML responses containing dense WebGPU API usage from low-reputation domains
Monitoring Recommendations
- Forward Chrome crash reports and mobile browser telemetry into a centralized analytics pipeline for correlation
- Alert on version drift when managed Android devices report Chrome versions below the patched release
- Track threat intelligence feeds for newly published WebGPU and Dawn exploit research tied to this CVE
How to Mitigate CVE-2024-6990
Immediate Actions Required
- Update Google Chrome on Android to version 127.0.6533.88 or later through Google Play
- Push managed configuration via mobile device management to enforce automatic Chrome updates
- Communicate to users that they should restart Chrome after the update to fully apply the fix
Patch Information
Google addressed CVE-2024-6990 in the Chrome stable channel update released on July 30, 2024. The fixed version on Android is 127.0.6533.88. Refer to the Google Chrome update blog post for the full advisory and the Chromium Issue Tracker entry for engineering details.
Workarounds
- Disable WebGPU on managed Android Chrome deployments using enterprise policy until patching is complete
- Restrict browsing to trusted domains through mobile threat defense or DNS filtering policies
- Block known malicious infrastructure at the network egress point to reduce delivery of crafted HTML payloads
# Chrome enterprise policy to disable WebGPU until devices are patched
# Deploy via Android Enterprise managed configuration for com.android.chrome
{
"PolicySchema": {
"WebGPUEnabled": false,
"DefaultJavaScriptSetting": 2,
"URLBlocklist": ["*"],
"URLAllowlist": ["https://*.corp.example.com"]
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
