CVE-2024-10487 in Chromeinfo

Summary

by MITRE • 10/30/2024

Out of bounds write in Dawn in Google Chrome prior to 130.0.6723.92 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Critical)

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 03/02/2025

The vulnerability identified as CVE-2024-10487 represents a critical out-of-bounds write flaw within the Dawn graphics library component of Google Chrome. This issue affects versions prior to 130.0.6723.92 and constitutes a severe security risk that could enable remote code execution through malicious web content. The Dawn library serves as a foundational graphics framework that handles WebGL and WebGPU operations, making it a prime target for attackers seeking to exploit graphics processing pipelines. This vulnerability specifically manifests when Chrome processes crafted HTML pages that trigger improper memory handling during graphics rendering operations.

The technical flaw involves an out-of-bounds memory write condition that occurs within the Dawn graphics implementation, which is part of Chromium's graphics stack. When processing maliciously constructed web content, the graphics driver fails to properly validate array indices or buffer boundaries, allowing an attacker to write data beyond allocated memory regions. This type of vulnerability falls under CWE-787, which specifically addresses out-of-bounds write conditions in software systems. The flaw enables attackers to manipulate memory layout and potentially overwrite critical program structures, function pointers, or other sensitive data within the browser process memory space.

The operational impact of this vulnerability extends beyond simple memory corruption, as it provides attackers with a pathway for remote code execution within the context of the Chrome browser. Attackers can leverage this flaw by hosting malicious HTML content on compromised websites or through phishing campaigns that deliver crafted web pages to unsuspecting users. The severity classification as Critical by the Chromium security team reflects the ease of exploitation and the potential for complete system compromise. Successful exploitation could result in arbitrary code execution, privilege escalation, and data exfiltration, particularly when combined with other browser-based attack vectors.

Mitigation strategies for CVE-2024-10487 primarily focus on immediate patching of affected Chrome versions to ensure users operate with the latest security updates. Organizations should implement comprehensive browser update policies and consider deploying automated patch management solutions to maintain protection against this and similar vulnerabilities. Additionally, security teams should monitor for exploitation attempts through network traffic analysis and web application firewalls that can detect malicious HTML content patterns. The ATT&CK framework categorizes this type of vulnerability under T1059 for command and scripting interpreter and T1203 for Exploitation for Client Execution, highlighting the need for defensive measures that address both the exploitation vector and potential post-exploitation activities. Browser hardening measures such as sandboxing, memory protection mechanisms, and strict content security policies provide additional layers of defense against successful exploitation attempts.

Responsible

Chrome

Reservation

10/29/2024

Disclosure

10/30/2024

Moderation

accepted

CPE

ready

EPSS

0.00653

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!