chromiumembedded cef OnFrameCaptured pixel_format out-of-bounds
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.0 | $0-$5k | 0.00 |
Summary
A vulnerability has been found in chromiumembedded cef and classified as critical. Impacted is the function CefVideoConsumerOSR::OnFrameCaptured. The manipulation of the argument pixel_format leads to out-of-bounds.
This vulnerability is listed as CVE-2024-21640. The attack may be initiated remotely. There is no available exploit.
It is suggested to install a patch to address this issue.
Details
A vulnerability was found in chromiumembedded cef (Web Browser) (the affected version unknown) and classified as critical. This issue affects the function CefVideoConsumerOSR::OnFrameCaptured. The manipulation of the argument pixel_format with an unknown input leads to a out-of-bounds vulnerability. Using CWE to declare the problem leads to CWE-125. The product reads data past the end, or before the beginning, of the intended buffer. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
Chromium Embedded Framework (CEF) is a simple framework for embedding Chromium-based browsers in other applications.`CefVideoConsumerOSR::OnFrameCaptured` does not check `pixel_format` properly, which leads to out-of-bounds read out of the sandbox. This vulnerability was patched in commit 1f55d2e.
The weakness was presented 01/13/2024 as GHSA-3h3j-38xq-v7hh. The advisory is shared at github.com. The identification of this vulnerability is CVE-2024-21640 since 12/29/2023. Technical details are known, but no exploit is available.
Applying the patch 1f55d2e12f62cfdfbf9da6968fde2f928982670b is able to eliminate this problem. The bugfix is ready for download at github.com.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Product
Type
Vendor
Name
License
Website
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.1VulDB Meta Temp Score: 7.0
VulDB Base Score: 6.3
VulDB Temp Score: 6.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 9.6
NVD Vector: 🔍
CNA Base Score: 5.4
CNA Vector (GitHub, Inc.): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Out-of-boundsCWE: CWE-125 / CWE-119
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
0-Day Time: 🔍
Patch: 1f55d2e12f62cfdfbf9da6968fde2f928982670b
Timeline
12/29/2023 🔍01/13/2024 🔍
01/13/2024 🔍
02/03/2024 🔍
Sources
Product: github.comAdvisory: GHSA-3h3j-38xq-v7hh
Status: Confirmed
CVE: CVE-2024-21640 (🔍)
GCVE (CVE): GCVE-0-2024-21640
GCVE (VulDB): GCVE-100-250673
Entry
Created: 01/13/2024 13:58Updated: 02/03/2024 06:32
Changes: 01/13/2024 13:58 (53), 02/03/2024 06:32 (11)
Complete: 🔍
Cache ID: 216::103
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
No comments yet. Languages: en.
Please log in to comment.