CVE-2024-9602: Google Chrome V8 RCE Vulnerability

CVE-2024-9602 Overview

CVE-2024-9602 is a type confusion vulnerability in the V8 JavaScript engine used by Google Chrome. The flaw affects Chrome versions prior to 129.0.6668.100 and allows a remote attacker to trigger an out-of-bounds memory write through a crafted HTML page. Exploitation requires user interaction, typically by luring a victim to a malicious website. Successful exploitation can lead to memory corruption in the renderer process, which attackers can chain with sandbox escapes to execute arbitrary code. Google rated the Chromium security severity as High. The vulnerability is tracked under CWE-843: Access of Resource Using Incompatible Type.

Critical Impact

A remote attacker can perform an out-of-bounds memory write in the V8 engine via a crafted HTML page, leading to renderer compromise and potential arbitrary code execution.

Affected Products

• Google Chrome versions prior to 129.0.6668.100 on Desktop
• Chromium-based browsers using affected V8 engine builds
• Embedded applications bundling vulnerable Chromium releases

Discovery Timeline

• 2024-10-08 - CVE-2024-9602 published to the National Vulnerability Database
• 2025-11-20 - Last updated in NVD database

Technical Details for CVE-2024-9602

Vulnerability Analysis

The vulnerability resides in V8, the open-source JavaScript and WebAssembly engine that powers Chrome. V8 performs aggressive type speculation and optimization in its TurboFan and Maglev compilers. When the engine misidentifies the type of a JavaScript object, subsequent operations treat memory as a different structure than what was actually allocated. This type confusion produces an out-of-bounds memory write when the engine accesses fields or indices outside the bounds of the original object layout. Attackers deliver the exploit through a crafted HTML page that loads malicious JavaScript. Because V8 runs in the renderer process, a successful write corrupts in-process memory and provides a primitive that attackers commonly escalate to arbitrary code execution within the sandbox.

Root Cause

The root cause is improper type checking during JavaScript execution in V8. The engine acts on an object as if it were a different, incompatible type, violating memory safety assumptions enforced by hidden classes and inline caches. This mismatch enables writes beyond the intended object bounds.

Attack Vector

The attack vector is network-based. A remote attacker hosts a malicious HTML page or compromises a legitimate site to deliver attacker-controlled JavaScript. The victim must visit the page, which satisfies the user interaction requirement. No authentication is needed, and the attack does not require privileges on the target system.

No public proof-of-concept code is available in the referenced advisories. See the Chromium Issue Tracker Entry and the Google Chrome Stable Update for vendor details.

Detection Methods for CVE-2024-9602

Indicators of Compromise

• Chrome renderer process crashes referencing V8 type errors or out-of-bounds write faults
• Outbound connections from Chrome to newly registered or low-reputation domains hosting JavaScript-heavy pages
• Unexpected child processes spawned by chrome.exe following browsing activity
• Browser telemetry showing version strings below 129.0.6668.100 on managed endpoints

Detection Strategies

• Inventory Chrome and Chromium-based browser versions across the fleet and flag installs below the patched build
• Monitor process lineage for renderer crashes followed by suspicious child process creation or shellcode-like memory regions
• Correlate web proxy logs with endpoint browser activity to identify drive-by exploitation attempts

Monitoring Recommendations

• Enable browser crash reporting and forward Chrome WER and crashpad artifacts to a central SIEM for triage
• Alert on Chrome processes loading unsigned modules or making anomalous syscalls after rendering untrusted content
• Track newly observed domains accessed by browsers and prioritize review of pages serving heavy obfuscated JavaScript

How to Mitigate CVE-2024-9602

Immediate Actions Required

• Update Google Chrome Desktop to version 129.0.6668.100 or later on Windows, macOS, and Linux endpoints
• Update Chromium-based browsers and embedded frameworks to releases incorporating the fixed V8 build
• Restart browsers after the update to ensure patched binaries are loaded
• Verify deployment status through enterprise management consoles and remediate any stragglers

Patch Information

Google released the fix in the Stable channel update for Desktop on October 8, 2024. The patched version is Chrome 129.0.6668.100/.101. Details are published in the Google Chrome Stable Update advisory.

Workarounds

• Restrict browsing of untrusted sites through web filtering and DNS controls until the patch is fully deployed
• Enforce Chrome auto-update policies via group policy or MDM to prevent users from pinning vulnerable versions
• Disable JavaScript on high-risk endpoints where business workflows allow, reducing the V8 attack surface

# Example: enforce Chrome update policy on Windows via registry
reg add "HKLM\SOFTWARE\Policies\Google\Update" /v UpdateDefault /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Google\Update" /v AutoUpdateCheckPeriodMinutes /t REG_DWORD /d 60 /f

# Verify installed Chrome version
(Get-Item "C:\Program Files\Google\Chrome\Application\chrome.exe").VersionInfo.ProductVersion