CVE-2024-4947

What is Chromium V8?

V8 is Google's open-source JavaScript and WebAssembly engine powering Chrome, Edge, Opera, and all Chromium-based applications. Its Turbofan JIT compiler optimizes frequently executed JavaScript code for performance by making type assumptions about objects — assumptions that, if violated through attacker-controlled JavaScript, can result in type confusion and heap corruption. Type confusion vulnerabilities in V8 are among the most reliably exploitable browser security flaws and are frequently targeted by state-sponsored groups and commercial spyware vendors.

Overview

CVE-2024-4947 is a type confusion vulnerability in V8's Turbofan JIT compiler that allows a remote attacker to achieve heap corruption via a crafted HTML page visited in any Chromium-based browser. Exploited as a zero-day and patched in Chrome 124.0.6367.201/.202 on May 15, 2024, it was added to the CISA KEV catalog five days later. It is one of three V8 type confusion zero-days patched within a two-week span in May 2024 (alongside CVE-2024-4671 and followed by CVE-2024-5274 on May 28), reflecting a period of intense V8 zero-day activity linked to nation-state threat actors.

Affected Versions

Technical Details

CWE-843 (Type Confusion). Turbofan, V8's optimizing JIT compiler, speculatively compiles JavaScript based on type information observed at runtime. When an attacker crafts JavaScript that invalidates Turbofan's type assumptions after compilation — a technique known as type confusion — the compiled code reads or writes memory using incorrect type layouts, corrupting the heap. The typical exploit chain proceeds:

1. V8 type confusion → controlled heap corruption.
2. Use corruption to build arbitrary read/write primitives.
3. Execute code within the Chrome renderer sandbox.
4. Chain with a sandbox escape (a separate vulnerability) for full OS code execution.

The renderer sandbox limits the initial impact to browser-process memory; a complete exploit requires a second bug for sandbox escape.

Discovery

Reported to Google. The rapid succession of V8 zero-days in May 2024 (CVE-2024-4671 on May 9, CVE-2024-4947 on May 15, CVE-2024-5274 on May 28) suggests either multiple independent researchers discovering related bugs, or a single threat actor using a chain of V8 bugs before each is caught and patched.

Exploitation Context

Active exploitation was confirmed, prompting the May 20, 2024 CISA KEV addition. The 2024 V8 zero-day cluster was associated with campaigns targeting cryptocurrency industry employees, financial sector workers, and government officials — profiles consistent with North Korea-linked APTs (Lazarus Group, Citrine Sleet) who routinely use browser zero-day chains to deploy cryptocurrency-theft and espionage implants. The Chromium update cycle (stable channel) typically delivers patches to users within hours of release via auto-update.

Remediation

1. Update Chrome to 124.0.6367.201 (Linux) or .202 (Windows/Mac) or any later version.
2. Update Microsoft Edge and other Chromium-based browsers to the corresponding patched releases.
3. Enable automatic browser updates — Chrome's auto-update mechanism is one of the fastest security update pipelines available for any software product.
4. Organizations should enforce minimum Chrome version via policy (Chrome Enterprise) and block outdated browser versions from accessing enterprise resources.