Login Sign Up

CVE-2024-11920

4.3 MEDIUM

📋 TL;DR

This vulnerability in Google Chrome's Dawn component on macOS allows attackers to trigger out-of-bounds memory access via malicious HTML pages. It affects Chrome users on macOS who haven't updated to version 130.0.6723.92 or later. The issue could lead to memory corruption and potential code execution.

💻 Affected Systems

Products:
  • Google Chrome
  • Chromium-based browsers
Versions: Versions prior to 130.0.6723.92
Operating Systems: macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects macOS systems. Other operating systems are not vulnerable to this specific CVE.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or malware installation

🟠

Likely Case

Browser crash (denial of service) or limited information disclosure from memory

🟢

If Mitigated

No impact if Chrome is updated to patched version or if exploit attempts are blocked

🌐 Internet-Facing: HIGH - Attackers can exploit via any website or malicious link
🏢 Internal Only: MEDIUM - Requires user interaction with malicious content

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Requires user to visit malicious webpage. No public exploit code available at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 130.0.6723.92

Vendor Advisory: https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_29.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click Chrome menu → About Google Chrome. 3. Chrome will automatically check for updates and install if available. 4. Click Relaunch to restart Chrome.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents execution of malicious JavaScript that could trigger the vulnerability

Use Content Security Policy

all

Implement CSP headers to restrict script execution from untrusted sources

Content-Security-Policy: script-src 'self'

🧯 If You Can't Patch

  • Use alternative browser temporarily
  • Restrict browsing to trusted websites only

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in About Google Chrome. If version is less than 130.0.6723.92, system is vulnerable.

Check Version:

google-chrome --version

Verify Fix Applied:

Verify Chrome version is 130.0.6723.92 or higher in About Google Chrome.

📡 Detection & Monitoring

Log Indicators:

  • Chrome crash reports
  • Memory access violation errors in system logs

Network Indicators:

  • Unusual outbound connections after visiting suspicious sites
  • Multiple Chrome processes crashing

SIEM Query:

source="chrome_crash_reports" AND version<"130.0.6723.92"

📊 Metadata

CVE ID: CVE-2024-11920
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
CWE: CWE-125
EPSS Score: 0.11% exploit probability (29.8th percentile)
Published: November 14, 2025
Last Updated: November 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11920, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)