CVE-2024-12382
📋 TL;DR
A use-after-free vulnerability in Chrome's Translate component allows remote attackers to potentially exploit heap corruption via a crafted HTML page. This could lead to arbitrary code execution or browser crashes. All users running vulnerable Chrome versions are affected.
💻 Affected Systems
- Google Chrome
- Chromium-based browsers
📦 What is this software?
Chrome by Google
Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...
Learn more about Chrome →⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with the same privileges as the Chrome process, potentially leading to full system compromise if combined with other vulnerabilities.
Likely Case
Browser crash (denial of service) or limited information disclosure through memory corruption.
If Mitigated
No impact if Chrome is fully patched or if exploit attempts are blocked by security controls.
🎯 Exploit Status
Requires crafting specific HTML to trigger the use-after-free condition. No public exploit code has been released.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 131.0.6778.139 and later
Vendor Advisory: https://chromereleases.googleblog.com/2024/12/stable-channel-update-for-desktop_10.html
Restart Required: Yes
Instructions:
1. Open Chrome. 2. Click the three-dot menu → Help → About Google Chrome. 3. Chrome will automatically check for and install updates. 4. Click 'Relaunch' to restart Chrome with the patched version.
🔧 Temporary Workarounds
Disable Translate feature
allTemporarily disable Chrome's built-in translation feature to prevent exploitation
chrome://settings/languages → Turn off 'Offer to translate pages'
Use Chrome Enterprise policies
windowsEnterprise administrators can disable Translate via group policy
Set 'DefaultTranslateEnabled' policy to false
🧯 If You Can't Patch
- Use alternative browsers until Chrome can be updated
- Implement web filtering to block known malicious sites and restrict browsing to trusted domains only
🔍 How to Verify
Check if Vulnerable:
Check Chrome version: If version is less than 131.0.6778.139, the system is vulnerable.Check Version:
chrome://version/ (on Chrome) or 'google-chrome --version' (command line)Verify Fix Applied:
Confirm Chrome version is 131.0.6778.139 or higher after update.📡 Detection & Monitoring
Log Indicators:
- Chrome crash reports with memory corruption errors
- Unexpected Chrome process termination
Network Indicators:
- HTTP requests to unusual domains with crafted HTML content
- Multiple Chrome instances crashing from same source
SIEM Query:
source="chrome_crash_reports" AND (message="heap corruption" OR message="use-after-free")