CVE-2024-4671

ENISA EUVD: EUVD-2024-44272 ↗

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 3, 2026 17 articles Published: 2024-05-09

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

0.18%

probability

This CVE has a 0.18% probability of being exploited in the next 30 days.

0% Top 39.6th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

9.6

CRITICAL

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Description

VulnerabilityLookup (CNA)

Use after free in Visuals in Google Chrome prior to 124.0.6367.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Affected Products

Google

Chrome

124.0.6367.201

google

chrome

fedoraproject

fedora

Google

Chrome

124.0.6367.201 <124.0.6367.201

Attack Intelligence

CWE-118 · Incorrect Access of Indexable Resource ('Range Error') CWE-119 · Buffer Overflow CWE-416 · Use After Free CWE-664 · Improper Control of a Resource Through its Lifetime CWE-666 · Operation on Resource in Wrong Phase of Lifetime CWE-672 · Operation on a Resource after Expiration or Release CWE-825 · Expired Pointer Dereference

Google Project Zero

Discovered

May 7, 2024

Patched

May 9, 2024

Reported by

???

Root Cause Analysis

???

https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_9.html

https://issues.chromium.org/issues/339266700

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NTSN22LNYXMWHVTYNOYQVOY7VDZFHENQ/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FAWEKDQTHPN7NFEMLIWP7YMIZ2DHF36N/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSUWM73ZCXTN62AT2REYQDD5ZKPFMDZD/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6G7EYH2JAK5OJPVNC6AXYQ5K7YGYNCDN/

Signal Intelligence

Confidenceⓘ

92%

EPSS 0.18%

CVSS v3.1 9.6

Mentions 17

Last Seen Aug 29, 2024

CNA Information

CNA Assigner

Chrome

Analyst Note

CVE-2024-4671 is confirmed as actively exploited in the wild, with multiple credible sources (BleepingComputer) documenting Google's acknowledgment of this zero-day exploitation. The critical CVSS score (9.6) combined with sandbox escape capability and documented active exploitation in 2024 provides strong corroboration for the confirmed status.

Threat Actors 5

APT 29

apt_group Information theft and espionage 🇷🇺 RU

APT 28

apt_group Information theft and espionage 🇷🇺 RU

Hacking Team

apt_group 🇮🇹 IT

Pat Bear

apt_group 🇸🇾 SY

APT 5

apt_group Information theft and espionage 🇨🇳 CN

Triage Info

Decided atMar 03, 2026

Published DateMay 09, 2024