Login Sign Up

CVE-2024-4558

9.6 CRITICAL

📋 TL;DR

This is a use-after-free vulnerability in ANGLE (Almost Native Graphics Layer Engine) component of Google Chrome. It allows remote attackers to potentially exploit heap corruption via crafted HTML pages, which could lead to arbitrary code execution. All users running vulnerable versions of Chrome are affected.

💻 Affected Systems

Products:
  • Google Chrome
  • Chromium-based browsers
Versions: Prior to 124.0.6367.155
Operating Systems: Windows, macOS, Linux, Android, iOS
Default Config Vulnerable: ⚠️ Yes
Notes: All standard Chrome installations are vulnerable. ANGLE is enabled by default for WebGL and other graphics operations.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Safari by Apple

View all CVEs affecting Safari →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the Chrome process, potentially leading to full system compromise if combined with privilege escalation.

🟠

Likely Case

Browser crash (denial of service) or limited code execution within Chrome's sandbox, potentially allowing data theft or further exploitation.

🟢

If Mitigated

Browser crash with no data compromise if sandboxing holds, though memory corruption could still leak information.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction (visiting malicious webpage). No public exploit code has been disclosed as of the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 124.0.6367.155 and later

Vendor Advisory: https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_7.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click the three-dot menu. 3. Go to Help > About Google Chrome. 4. Chrome will automatically check for and install updates. 5. Click 'Relaunch' to restart Chrome with the patched version.

🔧 Temporary Workarounds

Disable WebGL

all

Disables ANGLE functionality by turning off WebGL, which may break some websites but eliminates the attack vector.

chrome://flags/#disable-webgl
Set to 'Disabled'

Disable JavaScript

all

Prevents malicious HTML/JavaScript from executing, but breaks most modern websites.

chrome://settings/content/javascript
Toggle to 'Blocked'

🧯 If You Can't Patch

  • Use browser extensions to block JavaScript on untrusted sites
  • Implement network filtering to block known malicious domains

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in Help > About Google Chrome. If version is below 124.0.6367.155, system is vulnerable.

Check Version:

google-chrome --version (Linux) or "C:\Program Files\Google\Chrome\Application\chrome.exe" --version (Windows)

Verify Fix Applied:

Confirm Chrome version is 124.0.6367.155 or higher after update and restart.

📡 Detection & Monitoring

Log Indicators:

  • Chrome crash reports with ANGLE-related stack traces
  • Unexpected Chrome process termination

Network Indicators:

  • Requests to known exploit domains
  • Unusual WebGL-related traffic patterns

SIEM Query:

source="chrome" AND (event_type="crash" OR message="*ANGLE*" OR message="*use-after-free*")

📊 Metadata

CVE ID: CVE-2024-4558
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-416
Published: May 7, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4558, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)