Skip to main content
CVE Vulnerability Database

CVE-2024-9122: Google Chrome V8 RCE Vulnerability

CVE-2024-9122 is a type confusion RCE vulnerability in Google Chrome's V8 engine that enables remote attackers to access out-of-bounds memory via crafted HTML pages. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2024-9122 Overview

CVE-2024-9122 is a type confusion vulnerability in the V8 JavaScript engine used by Google Chrome versions prior to 129.0.6668.70. A remote attacker can trigger out-of-bounds memory access by serving a crafted HTML page to a target user. Chromium classifies the security severity as High, and Google addressed the issue in the Stable channel update released on September 24, 2024. The flaw is tracked under CWE-843 (Access of Resource Using Incompatible Type). EPSS data places exploitation likelihood at roughly 5.85%, in the 92nd percentile, indicating elevated predictive risk relative to most CVEs.

Critical Impact

A remote attacker can achieve out-of-bounds memory access in the renderer process through a crafted HTML page, enabling potential sandboxed code execution and a stepping stone to full compromise when chained with a sandbox escape.

Affected Products

  • Google Chrome on Windows prior to 129.0.6668.70
  • Google Chrome on macOS prior to 129.0.6668.70
  • Google Chrome on Linux prior to 129.0.6668.58

Discovery Timeline

  • 2024-09-24 - Google releases Stable channel update 129.0.6668.70/.71 for Windows and macOS, and 129.0.6668.58 for Linux
  • 2024-09-25 - CVE-2024-9122 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-9122

Vulnerability Analysis

The vulnerability resides in V8, the JavaScript and WebAssembly engine that powers Chrome and Chromium-based browsers. A type confusion condition allows the engine to interpret a memory region as an object of a different type than its actual layout. The mismatch lets attacker-controlled JavaScript read or write memory outside the bounds of the intended object. Exploitation requires user interaction, meaning the target must visit an attacker-controlled or compromised web page that delivers crafted HTML and JavaScript.

Successful exploitation typically yields renderer-process code execution within the Chrome sandbox. While the sandbox limits the immediate blast radius, type confusion flaws in V8 are routinely combined with sandbox escapes to achieve full host compromise. The vulnerability impacts confidentiality, integrity, and availability of the affected system.

Root Cause

Type confusion bugs in V8 generally stem from optimization passes in TurboFan or Maglev that make incorrect assumptions about object shapes, map transitions, or feedback vectors. When the optimized code path executes against an object whose actual type no longer matches the assumed type, the engine performs reads or writes using the wrong layout. This produces predictable out-of-bounds memory access that an attacker can shape into arbitrary read and write primitives. Detailed root-cause information is referenced in the Chromium Issue Tracker Entry, which remains restricted under Google's standard disclosure embargo.

Attack Vector

The attack vector is network-based with required user interaction. An attacker hosts a malicious page or compromises a legitimate site to deliver crafted HTML containing JavaScript that triggers the type confusion. No prior authentication or elevated privileges are required. The vulnerability can be weaponized through drive-by-download campaigns, malvertising, phishing links, or watering-hole attacks targeting visitors of high-value sites.

No verified public proof-of-concept code or exploit is currently associated with this CVE. The vulnerability mechanism is described in prose; see the Google Chrome Stable Update advisory for vendor details.

Detection Methods for CVE-2024-9122

Indicators of Compromise

  • Chrome renderer process crashes referencing V8 (v8::internal) frames or SIGSEGV in TurboFan-generated code preceding the patch deployment
  • Outbound connections from Chrome child processes to newly registered or low-reputation domains hosting heavy JavaScript payloads
  • Unexpected child processes spawned by chrome.exe shortly after browsing to an external URL
  • Browser telemetry showing execution of obfuscated JavaScript that performs aggressive array or typed-array manipulation

Detection Strategies

  • Inventory installed Chrome builds across endpoints and flag any version below 129.0.6668.70 (Windows/macOS) or 129.0.6668.58 (Linux)
  • Correlate web proxy logs with endpoint telemetry to identify users visiting suspicious pages immediately before renderer crashes
  • Monitor for anomalous post-exploitation behavior such as Chrome processes writing to startup paths or invoking shell binaries
  • Hunt for repeated V8-related crash signatures in Windows Error Reporting (WER) or macOS crash logs

Monitoring Recommendations

  • Enable centralized browser version reporting through Chrome Browser Cloud Management or equivalent management tooling
  • Forward endpoint process-creation and crash events to a SIEM for correlation with browsing activity
  • Track and alert on Chrome update lag exceeding 72 hours after a Stable channel release
  • Review DNS and TLS logs for connections to domains flagged in current browser-exploit threat intelligence

How to Mitigate CVE-2024-9122

Immediate Actions Required

  • Update Google Chrome to version 129.0.6668.70 or later on Windows and macOS, and 129.0.6668.58 or later on Linux
  • Force-restart Chrome on managed endpoints to ensure the patched binary is loaded, since updates apply only after relaunch
  • Audit all Chromium-based browsers (Edge, Brave, Opera, Vivaldi) and apply their corresponding patched releases that incorporate the V8 fix
  • Restrict execution of legacy or portable Chrome builds that fall outside enterprise update management

Patch Information

Google released the fix in the Stable channel on September 24, 2024, as documented in the Google Chrome Stable Update advisory. The patched builds are 129.0.6668.70/.71 for Windows and macOS and 129.0.6668.58 for Linux. Chromium-based browsers that consume upstream V8 must ship their own versioned updates incorporating the same fix.

Workarounds

  • Deploy enterprise policy to disable JavaScript on untrusted sites using the DefaultJavaScriptSetting and JavaScriptAllowedForUrls policies until patching is complete
  • Enforce Site Isolation and ensure the --site-per-process flag remains enabled to limit cross-origin renderer impact
  • Route web traffic through a secure web gateway that blocks known malicious domains and inspects high-risk JavaScript payloads
  • Restrict browsing on privileged administrator workstations until patch deployment is verified
bash
# Verify installed Chrome version on Linux/macOS
google-chrome --version

# Windows: query installed version via registry
reg query "HKLM\Software\Google\Chrome\BLBeacon" /v version

# Example Chrome enterprise policy snippet (JSON) to restrict JavaScript by default
{
  "DefaultJavaScriptSetting": 2,
  "JavaScriptAllowedForUrls": [
    "https://[*.]corp.example.com",
    "https://trusted-saas.example.net"
  ]
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.