CVE-2024-6991 Overview
CVE-2024-6991 is a use-after-free vulnerability in Dawn, the WebGPU implementation used by Google Chrome. Versions prior to 127.0.6533.72 allow a remote attacker to trigger heap corruption through a crafted HTML page. The flaw is tracked under [CWE-416] and affects desktop builds of Chrome across supported platforms. Successful exploitation requires user interaction, such as visiting an attacker-controlled web page. The Chromium project rated the bug High severity, and Google has shipped a fixed stable channel build.
Critical Impact
Remote attackers can corrupt heap memory in the Chrome renderer through a crafted web page, creating conditions suitable for arbitrary code execution within the browser sandbox.
Affected Products
- Google Chrome desktop versions prior to 127.0.6533.72
- Chromium-based browsers embedding the vulnerable Dawn/WebGPU component
- Applications using Chromium Embedded Framework builds preceding the fix
Discovery Timeline
- 2024-08-06 - CVE-2024-6991 published to the National Vulnerability Database
- 2024-08-07 - Last updated in the NVD database
Technical Details for CVE-2024-6991
Vulnerability Analysis
The vulnerability resides in Dawn, the cross-platform implementation of the WebGPU standard shipped inside Chrome. Dawn brokers GPU command submission between JavaScript running in the renderer and the underlying graphics driver. A use-after-free condition occurs when code retains and dereferences a pointer to a GPU resource object after that object has been released. The dangling reference operates on memory that the allocator can reassign to attacker-controlled data, producing heap corruption inside the GPU process or renderer.
Because WebGPU is reachable from any web origin without special permissions, the attack surface extends to ordinary web browsing. The vulnerability requires user interaction in the form of loading a malicious page, but no authentication or privilege is needed. Exploitation of memory corruption in Chromium graphics components has historically been chained with sandbox escapes to achieve code execution outside the renderer.
Root Cause
The root cause is improper object lifetime management within Dawn's resource handling paths. A WebGPU object is destroyed while another code path still holds a reference, and subsequent operations on that reference touch freed heap memory. Issues of this class fall under [CWE-416] Use After Free.
Attack Vector
The attack vector is the network. An attacker hosts a crafted HTML page that issues WebGPU API calls designed to exercise the vulnerable code path. When a victim visits the page, the renderer processes the malicious sequence and triggers the dangling reference. No credentials are required, and exploitation proceeds entirely through standard web content.
No public proof-of-concept code is available. Technical specifics are tracked in the Chromium Issue Tracker Entry and the Google Chrome Update Announcement.
Detection Methods for CVE-2024-6991
Indicators of Compromise
- Chrome processes crashing with heap corruption signatures referencing Dawn or WebGPU symbols
- Browser navigation to untrusted domains immediately preceding renderer or GPU process termination
- Unexpected child processes spawning from chrome.exe after visiting a web page
- Endpoints running Chrome builds older than 127.0.6533.72 after the patch window
Detection Strategies
- Inventory installed Chrome versions across managed endpoints and flag any build below 127.0.6533.72
- Correlate browser crash telemetry with stack frames inside dawn_native or dawn_wire modules
- Monitor for renderer or GPU process exit codes consistent with memory corruption faults
- Inspect proxy and DNS logs for requests to newly observed domains serving WebGPU-heavy content
Monitoring Recommendations
- Forward Chrome crash dumps and Windows Error Reporting events to a centralized log platform
- Alert when browser child processes execute scripting interpreters or download executables
- Track patch compliance for Chrome and embedded Chromium runtimes on a recurring schedule
- Review GPU process telemetry for abnormal command buffer sizes or repeated allocation failures
How to Mitigate CVE-2024-6991
Immediate Actions Required
- Update Google Chrome to version 127.0.6533.72 or later on all managed endpoints
- Restart browser sessions after the update so the patched binaries load into memory
- Audit third-party software embedding Chromium and apply vendor updates that incorporate the fix
- Restrict access to untrusted web destinations through web filtering until patching completes
Patch Information
Google addressed CVE-2024-6991 in the Chrome Stable channel build 127.0.6533.72 for Windows, macOS, and Linux. Release notes are documented in the Google Chrome Update Announcement. Administrators using managed Chrome deployments should push the updated MSI or package through their existing distribution channels and verify the installed version on each host.
Workarounds
- Disable WebGPU through the chrome://flags/#enable-unsafe-webgpu setting or enterprise policy where feasible
- Apply the URLBlocklist enterprise policy to restrict navigation to high-risk web content
- Enforce site isolation policies to limit cross-origin renderer reuse
- Deploy browser isolation or remote browsing for users handling sensitive workloads until patches are applied
# Verify Chrome version on Linux endpoints
google-chrome --version
# Example Chrome enterprise policy fragment disabling WebGPU
# /etc/opt/chrome/policies/managed/disable-webgpu.json
{
"DefaultWebGpuSetting": 2
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
