CVE Radar

CVE Radar Logo
CVERadar

Edition used by more than 30,000 companies in more than 150 countries.
Sign Up For Free

CVE-2024-0225

Critical Severity|Google
77
SVRS
8.8
CVSSv3
0.00998
EPSS
TAGS
In The Wild
VECTOR STRING
CVSS:3.1AV:NAC:LPR:NUI:RS:UC:HI:HA:H
PUBLICATION DATE2024-01-04
LAST MODIFIED2025-06-18

Deep CVE Analysis in Progress

The system is currently conducting an in-depth analysis of the selected CVE. This includes advanced correlation, vulnerability classification, and cross-referencing with real-time threat intelligence sources. Once the analysis is complete, the page will automatically update with enriched vulnerability data and actionable insights.

Security Intelligence Brief

1. What is this vulnerability and why does it matter?
This vulnerability, identified as CVE-2024-0225, is a 'use after free' flaw in the WebGPU component of Google Chrome. It matters significantly because a remote attacker can exploit this flaw by tricking a user into visiting a specially crafted HTML page. Successful exploitation could lead to heap corruption, which often allows for arbitrary code execution within the context of the browser, potentially compromising the user's system or data. Given that WebGPU is a modern web API for high-performance graphics and computation, and Chrome is a widely used browser, the impact of such a vulnerability is substantial.
2. What are the CVSS score, severity level, and disclosure details?
The CVSS score for CVE-2024-0225 is 8.8, which corresponds to a High severity level. The Chromium project also categorized its security severity as High.
  • Published Date: 2024-01-04 01:56:14 UTC
  • Modified Date: 2025-06-18 15:42:21 UTC
3. Which products, vendors, systems, and versions are affected?
  • Vendor: Google
  • Product: Google Chrome
  • Affected Component: WebGPU
  • Affected Versions: All versions of Google Chrome prior to 120.0.6099.199 are vulnerable.
4. What is the technical root cause and attack vector?
  • Technical Root Cause: The root cause is a 'use after free' error (CWE-416) within the WebGPU component. This occurs when an application continues to use a pointer to memory that has already been deallocated, leading to unpredictable behavior, including data corruption or arbitrary code execution.
  • Attack Vector: The attack vector is remote. An attacker can exploit this by enticing a user to visit a crafted HTML page. This typically involves web-based attacks such as phishing, malicious advertisements, or compromised legitimate websites.
5. How can this vulnerability be exploited?
This vulnerability can be exploited by a remote attacker. The exploitation process involves a user navigating to a malicious website or viewing malicious content within a legitimate site that has been compromised. The crafted HTML page contains code that triggers the 'use after free' condition in the WebGPU component, leading to heap corruption. An attacker can then leverage this heap corruption to achieve arbitrary code execution in the context of the user's browser, potentially allowing them to install malware, steal sensitive information, or take control of the affected system.
6. What mitigation steps and patches are available?
The primary mitigation step is to update Google Chrome to a patched version.
  • Patch Availability: Google has released a patch for this vulnerability. Users should update their Chrome browser to version 120.0.6099.199 or later.
  • General Mitigation: Users should always ensure their web browsers and operating systems are kept up-to-date with the latest security patches to protect against known vulnerabilities.
7. How can vulnerable systems be detected?
Vulnerable systems can be detected by checking the installed version of Google Chrome. Any instance of Google Chrome running a version prior to 120.0.6099.199 is considered vulnerable to CVE-2024-0225. Users can typically check their Chrome version by navigating to chrome://version or chrome://settings/help in their browser.
10. What public intelligence references and advisories exist?
  • CVE Identifier: CVE-2024-0225
  • Chromium Security Advisory: The description notes "Chromium security severity: High," indicating an official advisory from the Chromium project or Google detailing the issue. These advisories typically accompany the release of patched browser versions.
11. What is the risk assessment and urgency level?

Risk Assessment: The risk associated with CVE-2024-0225 is High, as indicated by its CVSS score of 8.8. This vulnerability allows for remote code execution (via heap corruption) simply by visiting a malicious web page. Given the widespread use of Google Chrome, the potential for a broad impact is significant. Successful exploitation could lead to:

  • Compromise of user data
  • Installation of malicious software
  • Complete system control by an attacker
  • Denial of service

Urgency Level: The urgency level is Critical. Immediate action is required to mitigate this threat. Users and organizations should prioritize updating all instances of Google Chrome to version 120.0.6099.199 or newer as quickly as possible. Exploitation of such browser vulnerabilities is common in targeted attacks and can also be incorporated into broader campaigns.

No IOCs found for this CVE

No exploits found for this CVE

SOCRadar Logo

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence

Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.

CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

No news found for this CVE

No tweets found for this CVE

Configuration 1
TypeVendorProduct
AppGooglechrome
Configuration 2
TypeVendorProduct
OSFedoraprojectfedora
ReferenceLink
AF854A3A-2127-422B-91AE-364DA2661108https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop.html
AF854A3A-2127-422B-91AE-364DA2661108https://crbug.com/1506923
AF854A3A-2127-422B-91AE-364DA2661108https://lists.fedoraproject.org/archives/list/[email protected]/message/AYONA2XSNFMXLAW4IHLFI5UVV3QRNG5K/
AF854A3A-2127-422B-91AE-364DA2661108https://lists.fedoraproject.org/archives/list/[email protected]/message/D6C2HN4T2S6GYNTAUXLH45LQZHK7QPHP/
AF854A3A-2127-422B-91AE-364DA2661108https://security.gentoo.org/glsa/202401-34
[email protected]https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop.html
[email protected]https://crbug.com/1506923
[email protected]https://lists.fedoraproject.org/archives/list/[email protected]/message/AYONA2XSNFMXLAW4IHLFI5UVV3QRNG5K/
[email protected]https://lists.fedoraproject.org/archives/list/[email protected]/message/D6C2HN4T2S6GYNTAUXLH45LQZHK7QPHP/
[email protected]https://security.gentoo.org/glsa/202401-34
[email protected]https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop.html
[email protected]https://crbug.com/1506923
[email protected]https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop.html
[email protected]https://crbug.com/1506923
[email protected]https://lists.fedoraproject.org/archives/list/[email protected]/message/D6C2HN4T2S6GYNTAUXLH45LQZHK7QPHP/
[email protected]https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop.html
[email protected]https://crbug.com/1506923
[email protected]https://lists.fedoraproject.org/archives/list/[email protected]/message/AYONA2XSNFMXLAW4IHLFI5UVV3QRNG5K/
[email protected]https://lists.fedoraproject.org/archives/list/[email protected]/message/D6C2HN4T2S6GYNTAUXLH45LQZHK7QPHP/
[email protected]https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop.html
[email protected]https://crbug.com/1506923
[email protected]https://lists.fedoraproject.org/archives/list/[email protected]/message/AYONA2XSNFMXLAW4IHLFI5UVV3QRNG5K/
[email protected]https://lists.fedoraproject.org/archives/list/[email protected]/message/D6C2HN4T2S6GYNTAUXLH45LQZHK7QPHP/
[email protected]https://security.gentoo.org/glsa/202401-34
AF854A3A-2127-422B-91AE-364DA2661108https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop.html
AF854A3A-2127-422B-91AE-364DA2661108https://crbug.com/1506923
AF854A3A-2127-422B-91AE-364DA2661108https://lists.fedoraproject.org/archives/list/[email protected]/message/AYONA2XSNFMXLAW4IHLFI5UVV3QRNG5K/
AF854A3A-2127-422B-91AE-364DA2661108https://lists.fedoraproject.org/archives/list/[email protected]/message/D6C2HN4T2S6GYNTAUXLH45LQZHK7QPHP/
AF854A3A-2127-422B-91AE-364DA2661108https://security.gentoo.org/glsa/202401-34
[email protected]https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop.html
[email protected]https://crbug.com/1506923
[email protected]https://lists.fedoraproject.org/archives/list/[email protected]/message/AYONA2XSNFMXLAW4IHLFI5UVV3QRNG5K/
[email protected]https://lists.fedoraproject.org/archives/list/[email protected]/message/D6C2HN4T2S6GYNTAUXLH45LQZHK7QPHP/
[email protected]https://security.gentoo.org/glsa/202401-34
CWE IDCWE NameDescription
CWE-416Use After FreeReferencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.