CVE-2024-8905 – This vulnerability in Chrome's V8 JavaScript en... (How to Fix)

Q: What is the severity of CVE-2024-8905?

CVE-2024-8905 has a CVSS score of 8.8 (HIGH). This vulnerability in Chrome's V8 JavaScript engine allows attackers to corrupt the stack through specially crafted HTML pages, potentially leading to arbitrary code execution. All users running vulnerable versions of Google Chrome are affected when visiting malicious websites.

📋 TL;DR

This vulnerability in Chrome's V8 JavaScript engine allows attackers to corrupt the stack through specially crafted HTML pages, potentially leading to arbitrary code execution. All users running vulnerable versions of Google Chrome are affected when visiting malicious websites.

💻 Affected Systems

Products:

Google Chrome
Chromium-based browsers

Versions: Prior to 129.0.6668.58

Operating Systems: Windows, macOS, Linux, Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: All standard Chrome installations are vulnerable. Chromium-based browsers like Microsoft Edge, Brave, etc. may also be affected depending on their V8 version.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the same privileges as the Chrome process, potentially leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Browser crash (denial of service) or limited code execution within the sandboxed Chrome process.

🟢

If Mitigated

No impact if Chrome is fully patched or if exploit attempts are blocked by security controls.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user interaction (visiting a malicious page) but no authentication. The vulnerability is in V8's implementation, making reliable exploitation non-trivial.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 129.0.6668.58

Vendor Advisory: https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop_17.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click the three-dot menu → Help → About Google Chrome. 3. Chrome will automatically check for and install the update. 4. Click 'Relaunch' to restart Chrome with the fix.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents execution of malicious JavaScript that could trigger the vulnerability.

Use Site Isolation

all

Enables Chrome's Site Isolation feature to limit impact of renderer process compromises.

🧯 If You Can't Patch

Restrict browsing to trusted websites only
Deploy web filtering to block known malicious domains

🔍 How to Verify

Check if Vulnerable:

Check Chrome version via chrome://version/ and compare to 129.0.6668.58.

Check Version:

chrome://version/

Verify Fix Applied:

Confirm Chrome version is 129.0.6668.58 or later.

📡 Detection & Monitoring

Log Indicators:

Chrome crash reports
Unexpected process terminations
Security event logs showing exploit attempts

Network Indicators:

Requests to known exploit domains
Unusual JavaScript execution patterns

SIEM Query:

source="chrome_logs" AND (event="crash" OR event="process_termination")

📊 Metadata

CVE ID: CVE-2024-8905

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: September 17, 2024

Last Updated: January 2, 2025

🔗 References

https://chromereleases.googleblog.com/2024/09/stable-channel-update-for-desktop_17.html Release Notes
https://issues.chromium.org/issues/359949835 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8905, you might also want to check these: