CVE-2024-0806 – This is a use-after-free vulnerability in Googl... (How to Fix)

Q: What is the severity of CVE-2024-0806?

CVE-2024-0806 has a CVSS score of 8.8 (HIGH). This is a use-after-free vulnerability in Google Chrome's password management component that could allow heap corruption. Attackers could potentially exploit this to execute arbitrary code or cause browser crashes by tricking users into specific UI interactions. All users running vulnerable Chrome versions are affected.

📋 TL;DR

This is a use-after-free vulnerability in Google Chrome's password management component that could allow heap corruption. Attackers could potentially exploit this to execute arbitrary code or cause browser crashes by tricking users into specific UI interactions. All users running vulnerable Chrome versions are affected.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: Versions prior to 121.0.6167.85

Operating Systems: Windows, macOS, Linux, ChromeOS

Default Config Vulnerable: ⚠️ Yes

Notes: All standard Chrome installations are vulnerable. Requires user interaction with password UI.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, credential theft, or malware installation.

🟠

Likely Case

Browser crash (denial of service) or limited information disclosure from memory corruption.

🟢

If Mitigated

No impact if Chrome is updated to patched version or if exploit attempts are blocked by security controls.

🌐 Internet-Facing: HIGH - Attackers can host malicious websites that trigger the vulnerability when visited.

🏢 Internal Only: MEDIUM - Requires user interaction with malicious content, which could come from internal sources.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires specific UI interaction but no authentication. No public exploit code available at disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 121.0.6167.85 and later

Vendor Advisory: https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_23.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click three-dot menu → Help → About Google Chrome. 3. Chrome will automatically check for and install updates. 4. Click 'Relaunch' to restart Chrome with the update.

🔧 Temporary Workarounds

Disable Chrome Auto-Update

all

Prevent Chrome from automatically updating to ensure controlled patching in enterprise environments.

# Windows: Use Group Policy to disable auto-update
# macOS/Linux: Configure update policies in Chrome policies

🧯 If You Can't Patch

Restrict access to untrusted websites using web filtering or proxy controls.
Implement application allowlisting to prevent unauthorized Chrome execution.

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: If version is less than 121.0.6167.85, system is vulnerable.

Check Version:

chrome://version/ (in Chrome address bar) or 'google-chrome --version' (command line)

Verify Fix Applied:

Confirm Chrome version is 121.0.6167.85 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with memory corruption signatures
Unexpected process termination of chrome.exe

Network Indicators:

Requests to suspicious domains followed by Chrome crashes
Unusual outbound connections from Chrome process

SIEM Query:

process_name:"chrome.exe" AND (event_id:1000 OR event_id:1001) AND exception_code:0xc0000005

📊 Metadata

CVE ID: CVE-2024-0806

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: January 24, 2024

Last Updated: June 20, 2025

🔗 References

https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_23.html Release Notes,Vendor Advisory
https://crbug.com/1505176 Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MMI6GXFONZV6HE3BPZO3AP6GUVQLG4JQ/ Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VXDSGAFQD4BDB4IB2O4ZUSHC3JCVQEKC/ Third Party Advisory
https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_23.html Release Notes,Vendor Advisory
https://crbug.com/1505176 Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MMI6GXFONZV6HE3BPZO3AP6GUVQLG4JQ/ Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VXDSGAFQD4BDB4IB2O4ZUSHC3JCVQEKC/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-0806, you might also want to check these: