CVE-2024-9961 – This is a use-after-free vulnerability in Googl... (How to Fix)

Q: What is the severity of CVE-2024-9961?

CVE-2024-9961 has a CVSS score of 8.8 (HIGH). This is a use-after-free vulnerability in Google Chrome's ParcelTracking component on iOS that allows remote attackers to potentially exploit heap corruption. Attackers can trigger this by convincing users to perform specific UI gestures on a crafted HTML page. Only iOS users running Chrome versions prior to 130.0.6723.58 are affected.

📋 TL;DR

This is a use-after-free vulnerability in Google Chrome's ParcelTracking component on iOS that allows remote attackers to potentially exploit heap corruption. Attackers can trigger this by convincing users to perform specific UI gestures on a crafted HTML page. Only iOS users running Chrome versions prior to 130.0.6723.58 are affected.

💻 Affected Systems

Products:

Google Chrome

Versions: iOS versions prior to 130.0.6723.58

Operating Systems: iOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Chrome on iOS; desktop and Android versions are not vulnerable.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device compromise including arbitrary code execution, data theft, and persistence on the iOS device.

🟠

Likely Case

Browser crash or limited memory corruption leading to denial of service or information disclosure.

🟢

If Mitigated

No impact if Chrome is updated to patched version or if users avoid suspicious websites and gestures.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires user interaction (specific UI gestures) and a crafted HTML page.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 130.0.6723.58

Vendor Advisory: https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html

Restart Required: Yes

Instructions:

1. Open Chrome on iOS. 2. Go to App Store. 3. Search for Chrome. 4. Tap 'Update' if available. 5. Restart Chrome after update.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents execution of malicious JavaScript that could trigger the vulnerability.

Settings → Site Settings → JavaScript → Block

Use Alternative Browser

all

Switch to Safari or another browser until Chrome is updated.

🧯 If You Can't Patch

Disable Chrome entirely and use Safari or another browser.
Implement network filtering to block suspicious websites.

🔍 How to Verify

Check if Vulnerable:

Open Chrome → Settings → About Chrome → Check version number.

Check Version:

chrome://version/ in Chrome address bar

Verify Fix Applied:

Confirm Chrome version is 130.0.6723.58 or higher.

📡 Detection & Monitoring

Log Indicators:

Chrome crash logs with memory corruption errors
Unusual process termination events

Network Indicators:

HTTP requests to known malicious domains hosting crafted HTML

SIEM Query:

source="chrome_crash_logs" AND (message="heap corruption" OR message="use after free")

📊 Metadata

CVE ID: CVE-2024-9961

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: October 15, 2024

Last Updated: January 2, 2025

🔗 References

https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html Release Notes
https://issues.chromium.org/issues/357776197 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9961, you might also want to check these: