Login Sign Up

CVE-2024-1938

8.8 HIGH

📋 TL;DR

This vulnerability is a type confusion flaw in Chrome's V8 JavaScript engine that allows attackers to corrupt memory objects through malicious HTML pages. Attackers could potentially execute arbitrary code or cause browser crashes. All users running vulnerable Chrome versions are affected.

💻 Affected Systems

Products:
  • Google Chrome
  • Chromium-based browsers
Versions: Prior to 122.0.6261.94
Operating Systems: Windows, Linux, macOS, Android, iOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default Chrome configurations are vulnerable. Chromium-based browsers (Edge, Brave, etc.) may also be affected depending on their V8 engine version.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or malware installation.

🟠

Likely Case

Browser crash (denial of service) or limited memory corruption leading to information disclosure.

🟢

If Mitigated

No impact if Chrome is updated to patched version or if exploit attempts are blocked by security controls.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user to visit malicious website. No public exploit code available at disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 122.0.6261.94 or later

Vendor Advisory: https://chromereleases.googleblog.com/2024/02/stable-channel-update-for-desktop_27.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click three-dot menu → Help → About Google Chrome. 3. Chrome will automatically check for and install updates. 4. Click 'Relaunch' to restart Chrome.

🔧 Temporary Workarounds

Disable JavaScript

all

Temporarily disable JavaScript execution in Chrome to prevent exploitation

Use Site Isolation

all

Enable site isolation to limit impact of potential exploitation

🧯 If You Can't Patch

  • Use alternative browser until patch can be applied
  • Implement web filtering to block known malicious sites

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: If version is less than 122.0.6261.94, system is vulnerable.

Check Version:

chrome://version/ or 'google-chrome --version' on Linux

Verify Fix Applied:

Confirm Chrome version is 122.0.6261.94 or higher after update.

📡 Detection & Monitoring

Log Indicators:

  • Chrome crash reports
  • Unexpected process termination logs

Network Indicators:

  • Requests to suspicious domains with crafted HTML

SIEM Query:

source="chrome" AND (event="crash" OR event="process_termination")

📊 Metadata

CVE ID: CVE-2024-1938
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-843
Published: February 29, 2024
Last Updated: December 19, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-1938, you might also want to check these:

CVE-2025-47151 9.8

A type confusion vulnerability in Entr'ouvert Lasso's SAML parsing allows remote code execution when...

Same vulnerability type (CWE-843)
CVE-2025-65570 9.8

A type confusion vulnerability in jsish 2.0 allows incorrect control flow during execution of the OP...

Same vulnerability type (CWE-843)
CVE-2020-25575 9.8

This vulnerability in the Rust failure crate (versions through 0.1.5) involves a type confusion flaw...

Same vulnerability type (CWE-843)