Skip to main content
CVE Vulnerability Database

CVE-2024-7968: Google Chrome Use After Free Vulnerability

CVE-2024-7968 is a use after free vulnerability in Google Chrome's Autofill feature that enables remote attackers to exploit heap corruption through crafted HTML pages. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2024-7968 Overview

CVE-2024-7968 is a use-after-free vulnerability [CWE-416] in the Autofill component of Google Chrome. The flaw affects all Chrome versions prior to 128.0.6613.84. A remote attacker can exploit heap corruption by serving a crafted HTML page and convincing the user to perform specific UI interactions. Google's Chromium team rated the security severity as High.

Successful exploitation can lead to arbitrary code execution within the renderer process, enabling sandbox-escape chains or browser compromise. The vulnerability was patched in the Stable channel update released on August 21, 2024.

Critical Impact

Remote attackers can trigger heap corruption in Chrome's Autofill via a malicious web page, potentially leading to code execution after user interaction.

Affected Products

  • Google Chrome on Windows prior to 128.0.6613.84
  • Google Chrome on macOS prior to 128.0.6613.84
  • Google Chrome on Linux prior to 128.0.6613.84

Discovery Timeline

  • 2024-08-21 - Google releases Chrome 128.0.6613.84 to the Stable channel with the fix
  • 2024-08-21 - CVE-2024-7968 published to NVD
  • 2024-08-27 - Last updated in NVD database

Technical Details for CVE-2024-7968

Vulnerability Analysis

The vulnerability resides in Chrome's Autofill component, which manages saved form data such as addresses, payment information, and credentials. Autofill objects are referenced from multiple sites in the renderer, including UI surfaces, popup controllers, and form field managers.

A use-after-free occurs when one code path releases an Autofill-related object while another path retains and dereferences a stale pointer. The Chromium issue tracker entry #349253666 records the underlying defect. Attackers can groom the heap, force the dangling reference, and reclaim freed memory with attacker-controlled data.

Root Cause

The root cause is improper object lifetime management in Autofill [CWE-416]. UI-driven state transitions, such as opening, dismissing, or navigating away from an Autofill popup, can deallocate an internal object while a callback or event handler still holds a reference. Subsequent access to that object dereferences freed memory.

Attack Vector

Exploitation requires a network-reachable attacker, no privileges, and user interaction. The attacker hosts a crafted HTML page that triggers Autofill UI interactions, such as focusing a form field, selecting a suggestion, or dismissing a popup. After the freed object is reclaimed with attacker-controlled data, heap corruption can be converted into arbitrary read/write primitives inside the renderer sandbox.

No public proof-of-concept or exploit code is currently available, and the CVE is not listed in the CISA Known Exploited Vulnerabilities catalog. The vulnerability mechanism is described in the Chromium Issue Tracker #349253666.

Detection Methods for CVE-2024-7968

Indicators of Compromise

  • Renderer process crashes referencing Autofill components, particularly heap corruption signatures in crash dumps
  • Unexpected child process spawning from chrome.exe after browsing untrusted sites
  • Outbound connections from Chrome renderer processes to unknown command-and-control infrastructure following a crash

Detection Strategies

  • Inventory Chrome installations across the fleet and flag any version below 128.0.6613.84 as vulnerable
  • Monitor Chrome CrashReporter telemetry for use-after-free signatures in Autofill code paths
  • Correlate browser crashes with subsequent suspicious process or network activity from the same host

Monitoring Recommendations

  • Enable enterprise Chrome management and report installed versions to a central inventory
  • Forward endpoint process, file, and network telemetry to a SIEM or data lake to retain context for post-crash investigation
  • Alert on Chrome renderer processes performing operations outside expected behavior, such as writing to disk paths used by malware staging

How to Mitigate CVE-2024-7968

Immediate Actions Required

  • Update Google Chrome to version 128.0.6613.84 or later on Windows, macOS, and Linux endpoints
  • Restart all Chrome instances after the update so the patched binary is loaded
  • Audit enterprise policies to ensure automatic browser updates are enabled and not blocked by management tooling

Patch Information

Google fixed CVE-2024-7968 in Chrome Stable 128.0.6613.84, released on August 21, 2024. Details are published in the Google Chrome Stable Update advisory. Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi require their corresponding vendor updates that incorporate the Chromium 128 fix.

Workarounds

  • Disable Chrome Autofill for addresses, payment methods, and passwords via enterprise policy until patching is complete
  • Restrict browsing to trusted domains using URL allowlists where business workflows permit
  • Train users to avoid interacting with unexpected Autofill prompts on untrusted sites
bash
# Disable Autofill via Chrome enterprise policy on Linux
sudo tee /etc/opt/chrome/policies/managed/disable_autofill.json > /dev/null <<'EOF'
{
  "AutofillAddressEnabled": false,
  "AutofillCreditCardEnabled": false,
  "PasswordManagerEnabled": false
}
EOF

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.