CVE-2024-5274

What is Chromium V8?

V8 is the open-source JavaScript and WebAssembly engine at the core of Google Chrome, Microsoft Edge, Opera, and every application built on the Chromium project. V8 parses, compiles, and optimizes JavaScript code encountered during web browsing — making it both the performance-critical heart of the browser and its most complex attack surface. Type confusion vulnerabilities in V8 allow attackers to corrupt heap memory by causing the engine to treat an object as the wrong type, typically enabling arbitrary read/write primitives that can be chained with a sandbox escape for full OS code execution.

Overview

CVE-2024-5274 is a type confusion vulnerability in V8 that allows a remote attacker to execute code by serving a crafted HTML page to a victim who visits it in a Chromium-based browser. It was exploited as a zero-day, with CISA adding it to the KEV catalog on the same day Google released Chrome 125.0.6422.112/.113. The simultaneous patch-and-KEV addition confirms in-progress exploitation at the time of disclosure. This was the ninth Chrome zero-day patched in 2024 — part of an unusually high volume of V8 and Chromium zero-days that year, many attributed to North Korean and other nation-state threat actors targeting high-value individuals.

Affected Versions

Technical Details

CWE-843 (Access of Resource Using Incompatible Type / Type Confusion). V8's JIT compiler and optimizer make assumptions about object types for performance; an attacker can construct JavaScript that causes V8 to process an object with a mismatched type assumption, corrupting adjacent heap memory. Controlled heap corruption typically yields:

1. An arbitrary read primitive to leak memory addresses (defeating ASLR).
2. An arbitrary write primitive to overwrite function pointers or JIT code.
3. Code execution within the sandboxed renderer process — requiring a second sandbox-escape vulnerability for full OS-level compromise.

This vulnerability is closely related to CVE-2024-4947 (May 15) and CVE-2024-7971 (August 21) — all V8 type confusion zero-days discovered and patched within the same year, reflecting sustained adversary investment in V8 exploit development.

Discovery

Reported to Google by Clément Lecigne of Google Threat Analysis Group (TAG), the same team that discovers many zero-days used by commercial spyware operators and state-sponsored groups. TAG's internal discovery suggests the vulnerability was found during analysis of an active exploitation campaign.

Exploitation Context

The same-day CISA KEV addition (May 28, 2024) confirms active exploitation at the time of patch release. The 2024 spike in Chrome zero-days was linked to nation-state actors — particularly North Korea-affiliated groups (Lazarus Group / Citrine Sleet) targeting cryptocurrency and financial sector employees — and commercial spyware operators. Exploit chains based on V8 type confusion followed by Windows kernel or Chrome sandbox escape were commonly deployed via drive-by web pages sent to targets through phishing or social engineering.

Remediation

1. Update Chrome to 125.0.6422.112 (Linux) or .113 (Windows/Mac) or any later version.
2. Update Microsoft Edge, Opera, Brave, and any other Chromium-based browser to the corresponding patched release.
3. Enable automatic browser updates to ensure future zero-days are patched without delay.
4. For organizations: enforce minimum browser version requirements via policy and consider browser isolation for high-risk users.