CVE-2024-11919 – This vulnerability allows attackers to create d... (How to Fix)

Q: What is the severity of CVE-2024-11919?

CVE-2024-11919 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows attackers to create deceptive user interfaces in Google Chrome on Android through malicious web pages. It affects Android users running Chrome versions before 129.0.6668.58, enabling UI spoofing attacks.

📋 TL;DR

This vulnerability allows attackers to create deceptive user interfaces in Google Chrome on Android through malicious web pages. It affects Android users running Chrome versions before 129.0.6668.58, enabling UI spoofing attacks.

💻 Affected Systems

Products:

Google Chrome for Android

Versions: All versions prior to 129.0.6668.58

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Chrome on Android, not desktop versions. Requires user interaction with malicious web page.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could create convincing phishing interfaces that trick users into revealing sensitive information or performing unintended actions.

🟠

Likely Case

Users might be tricked into clicking malicious elements or providing information to spoofed UI elements.

🟢

If Mitigated

With proper user awareness and updated browsers, impact is minimal as users can recognize suspicious interfaces.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user to visit a crafted HTML page. No authentication needed for the attack itself.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 129.0.6668.58 and later

Vendor Advisory: https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop_17.html

Restart Required: Yes

Instructions:

1. Open Google Play Store 2. Search for Chrome 3. Update to latest version 4. Restart Chrome

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents execution of malicious scripts that could exploit the vulnerability

chrome://settings/content/javascript (toggle off)

Use alternative browser

all

Temporarily switch to a different browser until Chrome is updated

🧯 If You Can't Patch

Educate users about phishing risks and suspicious UI elements
Implement web filtering to block known malicious sites

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in Settings > About Chrome. If version is below 129.0.6668.58, system is vulnerable.

Check Version:

chrome://version/

Verify Fix Applied:

Confirm Chrome version is 129.0.6668.58 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Unusual user reports of suspicious website behavior
Multiple failed authentication attempts from same session

Network Indicators:

Traffic to known malicious domains hosting crafted HTML pages

SIEM Query:

source="chrome_logs" AND (event="suspicious_ui" OR event="phishing_attempt")

📊 Metadata

CVE ID: CVE-2024-11919

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CWE: CWE-451

EPSS Score: 0.1% exploit probability (26.7th percentile)

Published: November 14, 2025

Last Updated: November 17, 2025

🔗 References

https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop_17.html Release Notes,Vendor Advisory
https://issues.chromium.org/issues/352516283 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11919, you might also want to check these: