CVE-2024-5844 – A heap buffer overflow vulnerability in Google ... (How to Fix)

Q: What is the severity of CVE-2024-5844?

CVE-2024-5844 has a CVSS score of 8.8 (HIGH). A heap buffer overflow vulnerability in Google Chrome's Tab Strip component allows remote attackers to perform out-of-bounds memory reads via crafted HTML pages. This affects Chrome users on all platforms who haven't updated to the patched version. Attackers could potentially exploit this to leak sensitive memory contents or as part of a larger attack chain.

📋 TL;DR

A heap buffer overflow vulnerability in Google Chrome's Tab Strip component allows remote attackers to perform out-of-bounds memory reads via crafted HTML pages. This affects Chrome users on all platforms who haven't updated to the patched version. Attackers could potentially exploit this to leak sensitive memory contents or as part of a larger attack chain.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: All versions prior to 126.0.6478.54

Operating Systems: Windows, Linux, macOS, Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default Chrome installations are vulnerable. Chromium-based browsers may also be affected depending on their patch level.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure leading to credential theft, session hijacking, or as a stepping stone for arbitrary code execution through memory corruption.

🟠

Likely Case

Memory information leakage that could reveal sensitive data like cookies, passwords, or other browser session information.

🟢

If Mitigated

No impact if Chrome is updated to the patched version or if vulnerable browsers are isolated from untrusted content.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction (visiting a malicious webpage) but no authentication. The vulnerability allows memory reads which could be combined with other vulnerabilities for more severe attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 126.0.6478.54

Vendor Advisory: https://chromereleases.googleblog.com/2024/06/stable-channel-update-for-desktop.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click the three-dot menu → Help → About Google Chrome. 3. Chrome will automatically check for and install updates. 4. Click 'Relaunch' to restart Chrome with the update.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents exploitation by disabling JavaScript execution, though this breaks most modern websites.

Use Browser Sandboxing

all

Run Chrome in a sandboxed environment to limit potential damage from exploitation.

🧯 If You Can't Patch

Restrict browser access to untrusted websites using web filtering or proxy controls.
Implement application whitelisting to prevent execution of malicious payloads that might follow initial exploitation.

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in Settings → About Chrome. If version is below 126.0.6478.54, the system is vulnerable.

Check Version:

google-chrome --version (Linux) or navigate to chrome://version in browser

Verify Fix Applied:

Confirm Chrome version is 126.0.6478.54 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports with memory access violations
Unusual process termination events

Network Indicators:

Requests to known malicious domains hosting exploit code
Unusual outbound connections following browser crashes

SIEM Query:

source="chrome" AND (event_type="crash" OR error="access_violation")

📊 Metadata

CVE ID: CVE-2024-5844

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: June 11, 2024

Last Updated: March 13, 2025

🔗 References

https://chromereleases.googleblog.com/2024/06/stable-channel-update-for-desktop.html Third Party Advisory
https://issues.chromium.org/issues/331960660 Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7VXA32LXMNK3DSK3JBRLTBPFUH7LTODU/ Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPU7AB53QQVNTBPGRMJRY5SXJNYWW3FX/ Third Party Advisory
https://chromereleases.googleblog.com/2024/06/stable-channel-update-for-desktop.html Third Party Advisory
https://issues.chromium.org/issues/331960660 Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7VXA32LXMNK3DSK3JBRLTBPFUH7LTODU/ Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPU7AB53QQVNTBPGRMJRY5SXJNYWW3FX/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5844, you might also want to check these: