CVE-2024-4761

What is the Chrome V8 JavaScript Engine?

V8 is Google's open-source JavaScript and WebAssembly engine, used in Google Chrome, Microsoft Edge, Opera, and virtually all Chromium-based browsers, as well as Node.js on the server side. V8 compiles JavaScript just-in-time (JIT) to native machine code for performance, managing complex object graphs, array layouts, and memory using its own garbage collector. V8's performance optimizations introduce complex type and memory state that can lead to memory corruption vulnerabilities — out-of-bounds writes, type confusions, and use-after-frees — which are particularly valuable for browser exploitation because V8 is directly accessible from any webpage's JavaScript.

Overview

CVE-2024-4761 is a zero-day out-of-bounds memory write vulnerability in the Chrome V8 JavaScript engine that allows an unauthenticated attacker to achieve remote code execution via a crafted web page. Google patched it on May 13, 2024 with Chrome 124.0.6367.207/.208 — just one week after patching CVE-2024-4671 (another Chrome zero-day, an object-out-of-bounds in Visuals). The close timing of two Chrome zero-days suggests either a sophisticated actor with access to multiple Chrome exploits or a single exploit chain involving both bugs. CISA added CVE-2024-4761 to the KEV catalog on May 16, 2024. The vulnerability was reported by an anonymous researcher.

Affected Versions

Technical Details

CWE-787 (Out-of-Bounds Write). The V8 engine contains a memory write operation that does not properly validate array or buffer bounds before writing. In JavaScript engines, OOB writes typically arise from JIT compiler optimizations that make incorrect assumptions about array sizes or object layouts — the JIT emits code that skips a bounds check because it "knows" (incorrectly) that the index is in-range. By crafting JavaScript that triggers this specific execution path, an attacker can write data past the end of a V8 heap object into adjacent memory.

The exploitation sequence for a V8 OOB write:

1. Use the OOB write to corrupt adjacent V8 heap metadata (e.g., array length fields or typed array buffer pointers).
2. Use the corrupted metadata to achieve arbitrary read/write over the V8 heap.
3. Use heap read/write to corrupt the JIT code page or function pointer to redirect execution.
4. Execute shellcode or ROP chain in the renderer process context.

In a full exploit chain, this renderer-process code execution is then paired with a sandbox escape (such as a separate kernel LPE) to gain full OS access.

Discovery

Reported to Google by an anonymous researcher. Google's description "Google is aware that an exploit for CVE-2024-4761 exists in the wild" confirms active exploitation at the time of disclosure. The anonymity of the reporter is consistent with the bug being discovered through active exploit chain analysis rather than bounty research.

Exploitation Context

Chrome V8 zero-days are among the most valuable browser vulnerabilities because Chrome's renderer sandbox is the first barrier to full system compromise; defeating V8 provides arbitrary code execution inside the sandbox, which is then typically chained with a sandbox escape for complete device compromise. Two V8/Chromium zero-days in a single week (CVE-2024-4671 on May 9 and CVE-2024-4761 on May 13) indicates either a threat actor with redundant exploit inventory or a coordinated disclosure of a multi-step chain. Chrome zero-days at this severity are typically used in: nation-state watering hole attacks, commercial spyware (Pegasus-style), and high-end targeted phishing campaigns.

Remediation

1. Update Google Chrome to version 124.0.6367.207 or later — Chrome updates automatically but users should verify via Chrome menu → Help → About Google Chrome.
2. Update Microsoft Edge, Opera, Brave, and any other Chromium-based browsers to their corresponding patched versions.
3. Enable automatic browser updates in enterprise environments via Group Policy or MDM to reduce the window between patch release and deployment.
4. Consider deploying Chrome enterprise policies that restrict navigation to untrusted or unknown domains for high-risk user populations.
5. Deploy browser isolation (Remote Browser Isolation) for users who regularly visit external or untrusted web content as an additional defense layer against zero-day browser exploits.