CVE-2024-5834
📋 TL;DR
This vulnerability in Google Chrome's Dawn WebGPU implementation allows remote attackers to execute arbitrary code by tricking users into visiting a malicious HTML page. It affects Chrome users on all platforms before version 126.0.6478.54. The high severity rating indicates successful exploitation could lead to complete system compromise.
💻 Affected Systems
- Google Chrome
- Chromium-based browsers
📦 What is this software?
Chrome by Google
Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...
Learn more about Chrome →Fedora by Fedoraproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the victim's machine, enabling data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Remote code execution leading to malware installation, credential theft, or browser session hijacking when users visit malicious websites.
If Mitigated
No impact if Chrome is updated to patched version or if users avoid untrusted websites.
🎯 Exploit Status
Exploitation requires user interaction (visiting malicious page) but no authentication. The CWE-94 (Code Injection) classification suggests injection of malicious code into WebGPU operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 126.0.6478.54 and later
Vendor Advisory: https://chromereleases.googleblog.com/2024/06/stable-channel-update-for-desktop.html
Restart Required: Yes
Instructions:
1. Open Chrome. 2. Click three-dot menu → Help → About Google Chrome. 3. Chrome will automatically check for and install updates. 4. Click 'Relaunch' to restart Chrome with the update.
🔧 Temporary Workarounds
Disable WebGPU
allTemporarily disable the WebGPU API which uses the vulnerable Dawn component
chrome://flags/#enable-webgpu → Disabled
Use Chrome Enterprise policies
allDisable WebGPU via enterprise policy for organizational control
Set 'WebGPUEnabled' policy to false
🧯 If You Can't Patch
- Restrict users to trusted websites only using web filtering solutions
- Implement application whitelisting to prevent unauthorized code execution
🔍 How to Verify
Check if Vulnerable:
Check Chrome version: if below 126.0.6478.54, system is vulnerableCheck Version:
chrome://versionVerify Fix Applied:
Confirm Chrome version is 126.0.6478.54 or higher📡 Detection & Monitoring
Log Indicators:
- Chrome crash reports with Dawn/WebGPU components
- Unexpected process spawning from Chrome
Network Indicators:
- Requests to known malicious domains hosting exploit code
- Unusual WebGPU API usage patterns
SIEM Query:
process_name:chrome.exe AND (parent_process:explorer.exe OR cmd.exe) AND command_line CONTAINS "-type=renderer"🔗 References
- https://chromereleases.googleblog.com/2024/06/stable-channel-update-for-desktop.html
- https://issues.chromium.org/issues/342840932
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7VXA32LXMNK3DSK3JBRLTBPFUH7LTODU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPU7AB53QQVNTBPGRMJRY5SXJNYWW3FX/
- https://chromereleases.googleblog.com/2024/06/stable-channel-update-for-desktop.html
- https://issues.chromium.org/issues/342840932
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7VXA32LXMNK3DSK3JBRLTBPFUH7LTODU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPU7AB53QQVNTBPGRMJRY5SXJNYWW3FX/
