CVE-2024-4671

What is Chromium Visuals?

Chromium's Visuals component is the rendering engine subsystem responsible for compositing, painting, and displaying web page content on screen. It manages display lists, compositing trees, and the lifecycle of rendering objects. The Visuals component is a frequent site of use-after-free vulnerabilities because rendering objects have complex lifetime dependencies — objects are created, referenced by multiple compositing structures, and freed in ways that can leave dangling pointers if reference counting is incorrect. A use-after-free in the Visuals compositor can provide attacker-controlled heap reads/writes within the renderer process.

Overview

CVE-2024-4671 is a use-after-free vulnerability in Chromium's Visuals component that allows a remote attacker to trigger heap corruption by serving a crafted HTML page. Exploited as a zero-day, CISA added it to the KEV catalog on May 13, 2024 — the same day Google released the patch in Chrome 124.0.6367.201/.202, and one day before the NVD CVE publication date. This pre-NVD KEV addition reflects confirmed in-progress exploitation. It was the first of three Chrome zero-days patched in May 2024, followed by CVE-2024-4947 and CVE-2024-5274.

Affected Versions

Technical Details

CWE-416 (Use-After-Free). In the Visuals compositing subsystem, a rendering object is freed while a reference to it is still held by another compositing structure. When the compositing logic later dereferences the stale pointer, it reads or writes memory in the freed allocation — which the allocator may have already repurposed for another object. An attacker who can craft a web page that triggers the dangling pointer access can use this primitive to:

1. Read freed memory to leak heap addresses (defeating ASLR).
2. Write to freed memory to corrupt adjacent allocations.
3. Achieve controlled code execution within the sandboxed renderer process.

Like all renderer-process exploits, a complete sandbox escape requires a second vulnerability to break out of Chrome's sandbox and execute code on the host OS.

Discovery

Reported to Google by an anonymous researcher. The CISA KEV addition before the NVD CVE publication date is unusual and underscores the urgency of the exploitation — it indicates Google and CISA coordinated on the zero-day status before the CVE was fully processed in the NVD pipeline.

Exploitation Context

Active exploitation was confirmed at the time of patch release, making this one of three Chrome zero-days patched in May 2024 — an unusual concentration. The May 2024 zero-day cluster aligns with campaigns by nation-state actors targeting high-value individuals; use-after-free vulnerabilities in the Visuals compositor have previously been chained with V8 type confusion and kernel sandbox escapes in full exploit chains deployed via one-click drive-by attacks.

Remediation

1. Update Chrome to 124.0.6367.201 (Linux) or .202 (Windows/Mac) or any later version.
2. Update all other Chromium-based browsers (Edge, Opera, Brave, etc.) to their corresponding patched releases.
3. Enable automatic browser updates to minimize the window between zero-day exploitation and patch delivery.
4. Organizations managing browser fleet versions should verify Chrome auto-update is functioning and not blocked by endpoint controls.