Skip to main content

CVE-2024-1059: Use after free in Google Chrome

High
VulnerabilityCVE-2024-1059cvecve-2024-1059
Published: Tue Jan 30 2024 (01/30/2024, 21:14:24 UTC)
Source: CVE
Vendor/Project: Google
Product: Chrome

Description

Use after free in Peer Connection in Google Chrome prior to 121.0.6167.139 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page. (Chromium security severity: High)

AI-Powered Analysis

AILast updated: 07/05/2025, 05:39:57 UTC

Technical Analysis

CVE-2024-1059 is a high-severity use-after-free vulnerability identified in the Peer Connection component of Google Chrome versions prior to 121.0.6167.139. This vulnerability arises from improper memory management, specifically a use-after-free condition, which occurs when the program continues to use memory after it has been freed. In this case, the flaw exists within the WebRTC Peer Connection implementation, a critical feature used for real-time communication in browsers. An attacker can exploit this vulnerability by crafting a malicious HTML page that triggers stack corruption, potentially leading to arbitrary code execution within the context of the browser process. The vulnerability has a CVSS v3.1 base score of 8.8, indicating high severity, with attack vector being network-based (remote attacker), no privileges required, but user interaction is necessary (visiting a malicious webpage). The impact includes full compromise of confidentiality, integrity, and availability of the affected system. Although no known exploits are currently reported in the wild, the nature of the vulnerability and its high CVSS score suggest that it is a critical risk that must be addressed promptly. The vulnerability is classified under CWE-416 (Use After Free), a common and dangerous memory corruption issue. Since WebRTC is widely used in modern web applications for voice, video, and data communication, this vulnerability poses a significant risk to users who browse untrusted or malicious websites. The lack of a patch link in the provided data suggests that users should update to the fixed version 121.0.6167.139 or later once available or apply any interim mitigations recommended by Google.

Potential Impact

For European organizations, the impact of CVE-2024-1059 can be substantial. Google Chrome is one of the most widely used browsers across Europe in both enterprise and consumer environments. Exploitation of this vulnerability could allow remote attackers to execute arbitrary code, potentially leading to full system compromise, data theft, or disruption of services. Organizations relying on web-based real-time communication tools that utilize WebRTC are particularly at risk, as attackers could leverage this flaw to bypass security controls and gain unauthorized access. This could affect sectors such as finance, healthcare, government, and critical infrastructure, where confidentiality and integrity of communications are paramount. Additionally, the requirement for user interaction (visiting a malicious webpage) means that phishing or social engineering campaigns could be used to trigger the exploit, increasing the risk of targeted attacks. The vulnerability could also be leveraged to deploy malware or ransomware, further amplifying the potential damage to European enterprises.

Mitigation Recommendations

To mitigate the risks posed by CVE-2024-1059, European organizations should take the following specific actions: 1) Immediately ensure that all instances of Google Chrome are updated to version 121.0.6167.139 or later, where the vulnerability is fixed. 2) Implement strict web browsing policies that restrict access to untrusted or unknown websites, especially those that could host malicious HTML content exploiting WebRTC. 3) Employ network-level protections such as web filtering and intrusion prevention systems (IPS) configured to detect and block suspicious WebRTC traffic or exploit attempts. 4) Educate users about the risks of visiting untrusted websites and the importance of avoiding clicking on unknown links or attachments that could lead to malicious pages. 5) Consider disabling or restricting WebRTC functionality in browsers where it is not required, using browser configuration policies or extensions, to reduce the attack surface. 6) Monitor security advisories from Google and cybersecurity authorities for any updates or patches related to this vulnerability. 7) Conduct regular vulnerability assessments and penetration testing focusing on browser security to detect potential exploitation attempts.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Chrome
Date Reserved
2024-01-30T04:27:49.767Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d9818c4522896dcbd832d

Added to database: 5/21/2025, 9:08:40 AM

Last enriched: 7/5/2025, 5:39:57 AM

Last updated: 8/15/2025, 10:22:56 AM

Views: 10

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats