CVE-2024-8198 – This heap buffer overflow vulnerability in Chro... (How to Fix)

Q: What is the severity of CVE-2024-8198?

CVE-2024-8198 has a CVSS score of 8.8 (HIGH). This heap buffer overflow vulnerability in Chrome's Skia graphics engine allows attackers who have already compromised the renderer process to potentially execute arbitrary code or cause crashes. It affects all Chrome users on vulnerable versions. The vulnerability requires initial renderer compromise but could lead to full system compromise.

📋 TL;DR

This heap buffer overflow vulnerability in Chrome's Skia graphics engine allows attackers who have already compromised the renderer process to potentially execute arbitrary code or cause crashes. It affects all Chrome users on vulnerable versions. The vulnerability requires initial renderer compromise but could lead to full system compromise.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: All versions prior to 128.0.6613.113

Operating Systems: Windows, macOS, Linux, ChromeOS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires renderer process compromise first, which typically requires another vulnerability

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise leading to data theft, ransomware deployment, or persistent backdoor installation

🟠

Likely Case

Browser crash or limited sandbox escape allowing further exploitation within browser context

🟢

If Mitigated

Browser crash with no data loss if sandbox holds, or limited impact if exploit fails

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires chaining with another vulnerability to first compromise renderer process

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 128.0.6613.113 and later

Vendor Advisory: https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_28.html

Restart Required: Yes

Instructions:

1. Open Chrome 2. Click three-dot menu → Help → About Google Chrome 3. Chrome will automatically check for and install update 4. Click 'Relaunch' to restart Chrome

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents malicious HTML pages from executing exploit code

chrome://settings/content/javascript → Block

Enable Site Isolation

all

Limits impact by isolating sites in separate processes

chrome://flags/#site-isolation-trial-opt-out → Disabled

🧯 If You Can't Patch

Use alternative browser temporarily
Restrict browsing to trusted sites only

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in About Google Chrome page

Check Version:

google-chrome --version (Linux) or chrome://version (all platforms)

Verify Fix Applied:

Verify version is 128.0.6613.113 or higher

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports
Renderer process termination events
Unexpected process spawns from Chrome

Network Indicators:

Unusual outbound connections from Chrome
Traffic to known exploit hosting domains

SIEM Query:

process_name:"chrome.exe" AND (event_id:1000 OR event_id:1001) AND version < "128.0.6613.113"

📊 Metadata

CVE ID: CVE-2024-8198

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-122

Published: August 28, 2024

Last Updated: October 15, 2024

🔗 References

https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_28.html Release Notes
https://issues.chromium.org/issues/360758697 Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8198, you might also want to check these: