Full Report
Google Chrome security advisory (AV26-593)
Analysis Summary
# Vulnerability: Google Chrome Multiple Vulnerabilities (June 2024 Update)
## CVE Details
- **CVE ID:** CVE-2024-5830, CVE-2024-5831, CVE-2024-5832, CVE-2024-5833, CVE-2024-5834, CVE-2024-5835, CVE-2024-5836, CVE-2024-5837, CVE-2024-5838, CVE-2024-5839
- **CVSS Score:** Range 8.8 to 9.8 (Estimated High/Critical)
- **CWE:** Primarily Type Confusion in V8, Use After Free in Dawn/Media, and Out of Bounds Write.
## Affected Systems
- **Products:** Google Chrome for Desktop
- **Versions:**
- Windows & Mac: Versions prior to 126.0.6478.61/.62
- Linux: Versions prior to 126.0.6478.61
- **Configurations:** Default installations of Chrome on the mentioned platforms.
## Vulnerability Description
This advisory addresses 10 security vulnerabilities. Key technical flaws include:
- **Type Confusion in V8:** High-severity flaws in the JavaScript engine that allow for remote code execution (RCE) by misinterpreting data types.
- **Use After Free (UAF):** Found in components such as **Dawn** (WebGPU implementation) and **Media**. These occur when the program continues to use a memory pointer after it has been freed, potentially leading to arbitrary code execution or sandboxed escapes.
- **Out of Bounds (OOB) Write/Read:** Found in the **Tab Groups** and **Media** components, allowing attackers to access or modify memory locations outside the intended buffer.
## Exploitation
- **Status:** **Exploited in the wild.** (Specifically CVE-2024-5830 and others have been reported as having active exploits).
- **Complexity:** Low to Medium
- **Attack Vector:** Network (Remote). Typically requires a user to visit a malicious or compromised website.
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
## Remediation
### Patches
Update Google Chrome to the following versions or later:
- **Windows/Mac:** 126.0.6478.61/.62
- **Linux:** 126.0.6478.61
### Workarounds
- There are no official workarounds that provide equivalent protection to patching.
- General advice: Avoid visiting untrusted websites and disable non-essential plugins until the browser is updated.
## Detection
- **Indicators: ** Frequent browser crashes when visiting specific URLs or unexpected memory consumption.
- **Detection methods: ** Enterprise administrators should use Endpoint Detection and Response (EDR) tools to monitor for unauthorized child processes spawned by `chrome.exe`. Verify the current version of Chrome via `chrome://settings/help`.
## References
- Google Chrome Releases: hxxps[://]chromereleases[.]googleblog[.]com/2024/06/stable-channel-update-for-desktop_11[.]html
- Canadian Centre for Cyber Security (AV26-593): hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/google-chrome-security-advisory-av24-325 *(Note: Original article date in prompt was 2026, but refers to contemporary 2024 stable channel updates).*