CVE-2024-1077 – This is a use-after-free vulnerability in Googl... (How to Fix)

Q: What is the severity of CVE-2024-1077?

CVE-2024-1077 has a CVSS score of 8.8 (HIGH). This is a use-after-free vulnerability in Google Chrome's Network component that allows remote attackers to potentially exploit heap corruption via malicious files. Attackers could execute arbitrary code or cause denial of service. All users running vulnerable versions of Chrome are affected.

📋 TL;DR

This is a use-after-free vulnerability in Google Chrome's Network component that allows remote attackers to potentially exploit heap corruption via malicious files. Attackers could execute arbitrary code or cause denial of service. All users running vulnerable versions of Chrome are affected.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: Prior to 121.0.6167.139

Operating Systems: Windows, macOS, Linux, ChromeOS

Default Config Vulnerable: ⚠️ Yes

Notes: All standard Chrome installations are vulnerable. Enterprise deployments with older versions are at highest risk.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Browser crash (denial of service) or limited code execution within browser sandbox.

🟢

If Mitigated

No impact if Chrome is updated to patched version or if exploit attempts are blocked by security controls.

🌐 Internet-Facing: HIGH - Attackers can deliver exploit via web content, email attachments, or downloads.

🏢 Internal Only: MEDIUM - Risk exists if users access malicious content internally, but external attack surface is primary concern.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Use-after-free vulnerabilities in Chrome's network stack typically require user interaction (opening malicious file) but can be chained with other vulnerabilities for sandbox escape.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 121.0.6167.139 and later

Vendor Advisory: https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_30.html

Restart Required: Yes

Instructions:

1. Open Chrome 2. Click menu (three dots) → Help → About Google Chrome 3. Chrome will automatically check for and install updates 4. Click Relaunch to restart Chrome

🔧 Temporary Workarounds

Disable automatic file downloads

all

Configure Chrome to ask before downloading files to prevent automatic execution of malicious content

chrome://settings/content/automaticDownloads → Toggle off 'Download multiple files automatically'

🧯 If You Can't Patch

Deploy application control to block execution of Chrome below version 121.0.6167.139
Implement network filtering to block known malicious file types and suspicious download sources

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: If version is below 121.0.6167.139, system is vulnerable

Check Version:

chrome://version/ (on Chrome) or google-chrome --version (command line)

Verify Fix Applied:

Confirm Chrome version is 121.0.6167.139 or higher after update

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with network component errors
Unexpected Chrome process termination events

Network Indicators:

Unusual file downloads to Chrome users
Multiple Chrome instances crashing from same source

SIEM Query:

source="chrome_crash_reports" AND component="network" AND version<"121.0.6167.139"

📊 Metadata

CVE ID: CVE-2024-1077

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: January 30, 2024

Last Updated: June 3, 2025

🔗 References

https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_30.html Release Notes,Vendor Advisory
https://crbug.com/1511085 Issue Tracking,Permissions Required,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NEUXJY3YC3VGIJW2AOHL4NZ7ZK7BRYWY/ Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCVKRHRWPMITSVFBHQBSNXOVJAKT547Q/ Mailing List
https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_30.html Release Notes,Vendor Advisory
https://crbug.com/1511085 Issue Tracking,Permissions Required,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NEUXJY3YC3VGIJW2AOHL4NZ7ZK7BRYWY/ Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCVKRHRWPMITSVFBHQBSNXOVJAKT547Q/ Mailing List

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-1077, you might also want to check these: