CVE-2024-1673 – This vulnerability is a use-after-free flaw in ... (How to Fix)

Q: What is the severity of CVE-2024-1673?

CVE-2024-1673 has a CVSS score of 8.8 (HIGH). This vulnerability is a use-after-free flaw in Chrome's Accessibility component that allows a compromised renderer process to potentially exploit heap corruption through specific UI gestures. Attackers who have already compromised the renderer process could leverage this to execute arbitrary code or cause crashes. All users running vulnerable versions of Google Chrome are affected.

📋 TL;DR

This vulnerability is a use-after-free flaw in Chrome's Accessibility component that allows a compromised renderer process to potentially exploit heap corruption through specific UI gestures. Attackers who have already compromised the renderer process could leverage this to execute arbitrary code or cause crashes. All users running vulnerable versions of Google Chrome are affected.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: All versions prior to 122.0.6261.57

Operating Systems: Windows, macOS, Linux, ChromeOS

Default Config Vulnerable: ⚠️ Yes

Notes: All standard Chrome installations are vulnerable. Requires renderer process compromise first via another vulnerability.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or ransomware deployment if combined with other vulnerabilities.

🟠

Likely Case

Browser crash, denial of service, or limited information disclosure from memory corruption.

🟢

If Mitigated

No impact if Chrome is fully patched or if renderer process compromise is prevented through sandboxing.

🌐 Internet-Facing: MEDIUM - Requires user interaction with malicious content and renderer process compromise first.

🏢 Internal Only: LOW - Same requirements as internet-facing; internal users would need to visit compromised sites.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Requires chaining with another vulnerability to compromise renderer process first. Specific UI gestures needed for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 122.0.6261.57 and later

Vendor Advisory: https://chromereleases.googleblog.com/2024/02/stable-channel-update-for-desktop_20.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click three-dot menu → Help → About Google Chrome. 3. Chrome will automatically check for and install update. 4. Click 'Relaunch' to restart Chrome with updated version.

🔧 Temporary Workarounds

Disable Accessibility Features

all

Temporarily disable Chrome accessibility features to reduce attack surface

chrome://settings/accessibility → Disable all accessibility features

🧯 If You Can't Patch

Restrict user access to untrusted websites and web applications
Enable Chrome's enhanced security features like Site Isolation and strict sandboxing

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: If version is less than 122.0.6261.57, system is vulnerable.

Check Version:

google-chrome --version (Linux) or chrome://version in browser address bar

Verify Fix Applied:

Confirm Chrome version is 122.0.6261.57 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with accessibility-related stack traces
Unexpected renderer process terminations

Network Indicators:

Unusual outbound connections following Chrome crashes

SIEM Query:

source="chrome_crash_reports" AND (process="renderer" OR component="accessibility")

📊 Metadata

CVE ID: CVE-2024-1673

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: February 21, 2024

Last Updated: December 19, 2024

🔗 References

https://chromereleases.googleblog.com/2024/02/stable-channel-update-for-desktop_20.html Exploit,Issue Tracking,Release Notes
https://issues.chromium.org/issues/41490491 Exploit,Issue Tracking,Release Notes
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWWBMVQTSERVBXSXCZVUKIMEDNQUQ7O3/ Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QDCMYQ3J45NHQ4EJREM3BJNNKB5BK4Y7/ Mailing List
https://chromereleases.googleblog.com/2024/02/stable-channel-update-for-desktop_20.html Exploit,Issue Tracking,Release Notes
https://issues.chromium.org/issues/41490491 Exploit,Issue Tracking,Release Notes
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWWBMVQTSERVBXSXCZVUKIMEDNQUQ7O3/ Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QDCMYQ3J45NHQ4EJREM3BJNNKB5BK4Y7/ Mailing List

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-1673, you might also want to check these: