CVE-2024-7968 Overview
CVE-2024-7968 is a use-after-free vulnerability [CWE-416] in the Autofill component of Google Chrome. The flaw affects all Chrome versions prior to 128.0.6613.84. A remote attacker can exploit heap corruption by serving a crafted HTML page and convincing the user to perform specific UI interactions. Google's Chromium team rated the security severity as High.
Successful exploitation can lead to arbitrary code execution within the renderer process, enabling sandbox-escape chains or browser compromise. The vulnerability was patched in the Stable channel update released on August 21, 2024.
Critical Impact
Remote attackers can trigger heap corruption in Chrome's Autofill via a malicious web page, potentially leading to code execution after user interaction.
Affected Products
- Google Chrome on Windows prior to 128.0.6613.84
- Google Chrome on macOS prior to 128.0.6613.84
- Google Chrome on Linux prior to 128.0.6613.84
Discovery Timeline
- 2024-08-21 - Google releases Chrome 128.0.6613.84 to the Stable channel with the fix
- 2024-08-21 - CVE-2024-7968 published to NVD
- 2024-08-27 - Last updated in NVD database
Technical Details for CVE-2024-7968
Vulnerability Analysis
The vulnerability resides in Chrome's Autofill component, which manages saved form data such as addresses, payment information, and credentials. Autofill objects are referenced from multiple sites in the renderer, including UI surfaces, popup controllers, and form field managers.
A use-after-free occurs when one code path releases an Autofill-related object while another path retains and dereferences a stale pointer. The Chromium issue tracker entry #349253666 records the underlying defect. Attackers can groom the heap, force the dangling reference, and reclaim freed memory with attacker-controlled data.
Root Cause
The root cause is improper object lifetime management in Autofill [CWE-416]. UI-driven state transitions, such as opening, dismissing, or navigating away from an Autofill popup, can deallocate an internal object while a callback or event handler still holds a reference. Subsequent access to that object dereferences freed memory.
Attack Vector
Exploitation requires a network-reachable attacker, no privileges, and user interaction. The attacker hosts a crafted HTML page that triggers Autofill UI interactions, such as focusing a form field, selecting a suggestion, or dismissing a popup. After the freed object is reclaimed with attacker-controlled data, heap corruption can be converted into arbitrary read/write primitives inside the renderer sandbox.
No public proof-of-concept or exploit code is currently available, and the CVE is not listed in the CISA Known Exploited Vulnerabilities catalog. The vulnerability mechanism is described in the Chromium Issue Tracker #349253666.
Detection Methods for CVE-2024-7968
Indicators of Compromise
- Renderer process crashes referencing Autofill components, particularly heap corruption signatures in crash dumps
- Unexpected child process spawning from chrome.exe after browsing untrusted sites
- Outbound connections from Chrome renderer processes to unknown command-and-control infrastructure following a crash
Detection Strategies
- Inventory Chrome installations across the fleet and flag any version below 128.0.6613.84 as vulnerable
- Monitor Chrome CrashReporter telemetry for use-after-free signatures in Autofill code paths
- Correlate browser crashes with subsequent suspicious process or network activity from the same host
Monitoring Recommendations
- Enable enterprise Chrome management and report installed versions to a central inventory
- Forward endpoint process, file, and network telemetry to a SIEM or data lake to retain context for post-crash investigation
- Alert on Chrome renderer processes performing operations outside expected behavior, such as writing to disk paths used by malware staging
How to Mitigate CVE-2024-7968
Immediate Actions Required
- Update Google Chrome to version 128.0.6613.84 or later on Windows, macOS, and Linux endpoints
- Restart all Chrome instances after the update so the patched binary is loaded
- Audit enterprise policies to ensure automatic browser updates are enabled and not blocked by management tooling
Patch Information
Google fixed CVE-2024-7968 in Chrome Stable 128.0.6613.84, released on August 21, 2024. Details are published in the Google Chrome Stable Update advisory. Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi require their corresponding vendor updates that incorporate the Chromium 128 fix.
Workarounds
- Disable Chrome Autofill for addresses, payment methods, and passwords via enterprise policy until patching is complete
- Restrict browsing to trusted domains using URL allowlists where business workflows permit
- Train users to avoid interacting with unexpected Autofill prompts on untrusted sites
# Disable Autofill via Chrome enterprise policy on Linux
sudo tee /etc/opt/chrome/policies/managed/disable_autofill.json > /dev/null <<'EOF'
{
"AutofillAddressEnabled": false,
"AutofillCreditCardEnabled": false,
"PasswordManagerEnabled": false
}
EOF
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

