Login Sign Up

CVE-2024-11395

8.8 HIGH

📋 TL;DR

This is a type confusion vulnerability in Chrome's V8 JavaScript engine that allows attackers to trigger heap corruption through malicious web pages. Successful exploitation could lead to arbitrary code execution or browser crashes. All users running vulnerable Chrome versions are affected.

💻 Affected Systems

Products:
  • Google Chrome
  • Chromium-based browsers
Versions: Prior to 131.0.6778.85
Operating Systems: Windows, macOS, Linux, Android, iOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default Chrome configurations are vulnerable. Chromium-based browsers may also be affected if they haven't updated their V8 engine.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the same privileges as the Chrome process, potentially leading to full system compromise if combined with other vulnerabilities.

🟠

Likely Case

Browser crash (denial of service) or limited memory corruption leading to information disclosure.

🟢

If Mitigated

No impact if Chrome is fully patched or if exploit attempts are blocked by security controls.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction (visiting malicious website) but no authentication. Type confusion vulnerabilities in V8 have historically been exploited in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 131.0.6778.85 and later

Vendor Advisory: https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop_19.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click the three-dot menu → Help → About Google Chrome. 3. Chrome will automatically check for updates and install if available. 4. Click 'Relaunch' to restart Chrome.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents exploitation by disabling JavaScript execution in Chrome

Use Site Isolation

all

Enable site isolation to limit impact of successful exploitation

🧯 If You Can't Patch

  • Use alternative browsers until Chrome can be updated
  • Implement web filtering to block known malicious sites

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in Settings → About Chrome. If version is below 131.0.6778.85, system is vulnerable.

Check Version:

chrome://version/ (in Chrome address bar)

Verify Fix Applied:

Confirm Chrome version is 131.0.6778.85 or higher after update.

📡 Detection & Monitoring

Log Indicators:

  • Chrome crash reports
  • Process termination events
  • Memory access violation logs

Network Indicators:

  • Requests to known exploit hosting domains
  • Unusual JavaScript execution patterns

SIEM Query:

source="chrome" AND (event_type="crash" OR message="*V8*" OR message="*heap corruption*")

📊 Metadata

CVE ID: CVE-2024-11395
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-843
Published: November 19, 2024
Last Updated: July 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11395, you might also want to check these:

CVE-2025-47151 9.8

A type confusion vulnerability in Entr'ouvert Lasso's SAML parsing allows remote code execution when...

Same vulnerability type (CWE-843)
CVE-2025-65570 9.8

A type confusion vulnerability in jsish 2.0 allows incorrect control flow during execution of the OP...

Same vulnerability type (CWE-843)
CVE-2023-42464 9.8

A Type Confusion vulnerability in Netatalk's afpd service allows remote attackers to potentially exe...

Same vulnerability type (CWE-843)