CVE-2024-5836 – This vulnerability allows an attacker who convi... (How to Fix)

Q: What is the severity of CVE-2024-5836?

CVE-2024-5836 has a CVSS score of 8.8 (HIGH). This vulnerability allows an attacker who convinces a user to install a malicious Chrome extension to execute arbitrary code on the victim's system. It affects Google Chrome users running versions prior to 126.0.6478.54. The attack requires user interaction to install the malicious extension.

📋 TL;DR

This vulnerability allows an attacker who convinces a user to install a malicious Chrome extension to execute arbitrary code on the victim's system. It affects Google Chrome users running versions prior to 126.0.6478.54. The attack requires user interaction to install the malicious extension.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: All versions prior to 126.0.6478.54

Operating Systems: Windows, macOS, Linux, ChromeOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default Chrome configurations are vulnerable. Requires user to install malicious extension.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the victim's machine, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Limited code execution within Chrome's sandbox or user context, potentially stealing browser data, session cookies, or installing additional malware.

🟢

If Mitigated

No impact if users only install extensions from trusted sources and keep Chrome updated.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires social engineering to convince user to install malicious extension. No public exploit code available at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 126.0.6478.54 and later

Vendor Advisory: https://chromereleases.googleblog.com/2024/06/stable-channel-update-for-desktop.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click three dots menu → Help → About Google Chrome. 3. Chrome will automatically check for updates and install if available. 4. Click 'Relaunch' to restart Chrome.

🔧 Temporary Workarounds

Disable Chrome Extensions

all

Temporarily disable all Chrome extensions to prevent exploitation

chrome://extensions/ → Toggle off all extensions

Restrict Extension Installation

all

Configure Chrome to only allow extensions from Chrome Web Store

chrome://extensions/ → Developer mode off
chrome://settings/content/extensions → Allow only from Chrome Web Store

🧯 If You Can't Patch

Implement application allowlisting to block Chrome execution
Deploy network filtering to block Chrome extension downloads from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: chrome://version/ → if version is less than 126.0.6478.54, system is vulnerable

Check Version:

chrome://version/

Verify Fix Applied:

Verify Chrome version is 126.0.6478.54 or higher after update

📡 Detection & Monitoring

Log Indicators:

Unusual Chrome extension installation events
Chrome crash reports with DevTools-related errors
Process creation from Chrome with unusual parent-child relationships

Network Indicators:

Downloads of Chrome extension files (.crx) from non-Google domains
Unusual outbound connections from Chrome process

SIEM Query:

process_name:chrome.exe AND (parent_process:chrome.exe OR command_line:*extension* OR command_line:*devtools*)

📊 Metadata

CVE ID: CVE-2024-5836

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-474

Published: June 11, 2024

Last Updated: March 14, 2025

🔗 References

https://chromereleases.googleblog.com/2024/06/stable-channel-update-for-desktop.html Third Party Advisory
https://issues.chromium.org/issues/341875171 Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7VXA32LXMNK3DSK3JBRLTBPFUH7LTODU/ Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPU7AB53QQVNTBPGRMJRY5SXJNYWW3FX/ Third Party Advisory
https://chromereleases.googleblog.com/2024/06/stable-channel-update-for-desktop.html Third Party Advisory
https://issues.chromium.org/issues/341875171 Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7VXA32LXMNK3DSK3JBRLTBPFUH7LTODU/ Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPU7AB53QQVNTBPGRMJRY5SXJNYWW3FX/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5836, you might also want to check these: