Multiple vulnerabilities in Google Chrome
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 13 |
| CVE-ID | CVE-2024-9954 CVE-2024-9955 CVE-2024-9956 CVE-2024-9957 CVE-2024-9958 CVE-2024-9959 CVE-2024-9960 CVE-2024-9961 CVE-2024-9962 CVE-2024-9963 CVE-2024-9964 CVE-2024-9965 CVE-2024-9966 |
| CWE-ID | CWE-416 CWE-358 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Google Chrome Client/Desktop applications / Web browsers |
| Vendor |
Security Bulletin
This security bulletin contains information about 13 vulnerabilities.
1) Use-after-free
EUVDB-ID: #VU98690
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-9954
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the AI component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 100.0.4896.60 - 129.0.6668.101
CPE2.3- cpe:2.3:a:google:google_chrome:129.0.6668.101:*:*:*:*:*:*:
- cpe:2.3:a:google:google_chrome:129.0.6668.100:*:*:*:*:*:*:
- cpe:2.3:a:google:google_chrome:129.0.6668.90:*:*:*:*:*:*:
http://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html
http://crbug.com/367755363
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use-after-free
EUVDB-ID: #VU98691
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-9955
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within Web Authentication in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 100.0.4896.60 - 129.0.6668.101
CPE2.3- cpe:2.3:a:google:google_chrome:129.0.6668.101:*:*:*:*:*:*:
- cpe:2.3:a:google:google_chrome:129.0.6668.100:*:*:*:*:*:*:
- cpe:2.3:a:google:google_chrome:129.0.6668.90:*:*:*:*:*:*:
http://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html
http://crbug.com/370133761
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improperly implemented security check for standard
EUVDB-ID: #VU98692
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-9956
CWE-ID:
CWE-358 - Improperly Implemented Security Check for Standard
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in Web Authentication in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 100.0.4896.60 - 129.0.6668.101
CPE2.3- cpe:2.3:a:google:google_chrome:129.0.6668.101:*:*:*:*:*:*:
- cpe:2.3:a:google:google_chrome:129.0.6668.100:*:*:*:*:*:*:
- cpe:2.3:a:google:google_chrome:129.0.6668.90:*:*:*:*:*:*:
http://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html
http://crbug.com/370482421
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Use-after-free
EUVDB-ID: #VU98693
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-9957
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within UI in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 100.0.4896.60 - 129.0.6668.101
CPE2.3- cpe:2.3:a:google:google_chrome:129.0.6668.101:*:*:*:*:*:*:
- cpe:2.3:a:google:google_chrome:129.0.6668.100:*:*:*:*:*:*:
- cpe:2.3:a:google:google_chrome:129.0.6668.90:*:*:*:*:*:*:
http://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html
http://crbug.com/358151317
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improperly implemented security check for standard
EUVDB-ID: #VU98694
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-9958
CWE-ID:
CWE-358 - Improperly Implemented Security Check for Standard
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in PictureInPicture in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 100.0.4896.60 - 129.0.6668.101
CPE2.3- cpe:2.3:a:google:google_chrome:129.0.6668.101:*:*:*:*:*:*:
- cpe:2.3:a:google:google_chrome:129.0.6668.100:*:*:*:*:*:*:
- cpe:2.3:a:google:google_chrome:129.0.6668.90:*:*:*:*:*:*:
http://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html
http://crbug.com/40076120
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Use-after-free
EUVDB-ID: #VU98695
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-9959
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within DevTools in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 100.0.4896.60 - 129.0.6668.101
CPE2.3- cpe:2.3:a:google:google_chrome:129.0.6668.101:*:*:*:*:*:*:
- cpe:2.3:a:google:google_chrome:129.0.6668.100:*:*:*:*:*:*:
- cpe:2.3:a:google:google_chrome:129.0.6668.90:*:*:*:*:*:*:
http://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html
http://crbug.com/368672129
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Use-after-free
EUVDB-ID: #VU98696
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-9960
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within Dawn in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 100.0.4896.60 - 129.0.6668.101
CPE2.3- cpe:2.3:a:google:google_chrome:129.0.6668.101:*:*:*:*:*:*:
- cpe:2.3:a:google:google_chrome:129.0.6668.100:*:*:*:*:*:*:
- cpe:2.3:a:google:google_chrome:129.0.6668.90:*:*:*:*:*:*:
http://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html
http://crbug.com/354748063
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Use-after-free
EUVDB-ID: #VU98697
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-9961
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within Parcel Tracking in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 100.0.4896.60 - 129.0.6668.101
CPE2.3- cpe:2.3:a:google:google_chrome:129.0.6668.101:*:*:*:*:*:*:
- cpe:2.3:a:google:google_chrome:129.0.6668.100:*:*:*:*:*:*:
- cpe:2.3:a:google:google_chrome:129.0.6668.90:*:*:*:*:*:*:
http://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html
http://crbug.com/357776197
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Improperly implemented security check for standard
EUVDB-ID: #VU98698
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-9962
CWE-ID:
CWE-358 - Improperly Implemented Security Check for Standard
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in Permissions in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 100.0.4896.60 - 129.0.6668.101
CPE2.3- cpe:2.3:a:google:google_chrome:129.0.6668.101:*:*:*:*:*:*:
- cpe:2.3:a:google:google_chrome:129.0.6668.100:*:*:*:*:*:*:
- cpe:2.3:a:google:google_chrome:129.0.6668.90:*:*:*:*:*:*:
http://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html
http://crbug.com/364508693
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Input validation error
EUVDB-ID: #VU98699
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-9963
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied input in Downloads in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 100.0.4896.60 - 129.0.6668.101
CPE2.3- cpe:2.3:a:google:google_chrome:129.0.6668.101:*:*:*:*:*:*:
- cpe:2.3:a:google:google_chrome:129.0.6668.100:*:*:*:*:*:*:
- cpe:2.3:a:google:google_chrome:129.0.6668.90:*:*:*:*:*:*:
http://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html
http://crbug.com/328278718
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Improperly implemented security check for standard
EUVDB-ID: #VU98700
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-9964
CWE-ID:
CWE-358 - Improperly Implemented Security Check for Standard
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in Payments in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 100.0.4896.60 - 129.0.6668.101
CPE2.3- cpe:2.3:a:google:google_chrome:129.0.6668.101:*:*:*:*:*:*:
- cpe:2.3:a:google:google_chrome:129.0.6668.100:*:*:*:*:*:*:
- cpe:2.3:a:google:google_chrome:129.0.6668.90:*:*:*:*:*:*:
http://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html
http://crbug.com/361711121
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Input validation error
EUVDB-ID: #VU98701
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-9965
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied input in DevTools in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 100.0.4896.60 - 129.0.6668.101
CPE2.3- cpe:2.3:a:google:google_chrome:129.0.6668.101:*:*:*:*:*:*:
- cpe:2.3:a:google:google_chrome:129.0.6668.100:*:*:*:*:*:*:
- cpe:2.3:a:google:google_chrome:129.0.6668.90:*:*:*:*:*:*:
http://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html
http://crbug.com/352651673
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Improperly implemented security check for standard
EUVDB-ID: #VU98702
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-9966
CWE-ID:
CWE-358 - Improperly Implemented Security Check for Standard
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect implementation in Navigations in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsGoogle Chrome: 100.0.4896.60 - 129.0.6668.101
CPE2.3- cpe:2.3:a:google:google_chrome:129.0.6668.101:*:*:*:*:*:*:
- cpe:2.3:a:google:google_chrome:129.0.6668.100:*:*:*:*:*:*:
- cpe:2.3:a:google:google_chrome:129.0.6668.90:*:*:*:*:*:*:
http://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html
http://crbug.com/364773822
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
