CVE-2024-8194: 
vulnerability analysis and mitigation

A Type Confusion vulnerability in V8 engine (CVE-2024-8194) was discovered in Google Chrome versions prior to 128.0.6613.113. The vulnerability was reported by Seunghyun Lee (@0x10n) on August 18, 2024, and was classified with high severity by Chromium security team (Chrome Release).

The vulnerability is classified as CWE-843 (Access of Resource Using Incompatible Type), commonly known as Type Confusion. It affects the V8 JavaScript engine in Google Chrome and could potentially lead to heap corruption when triggered via a specially crafted HTML page. The vulnerability has received a CVSS v3.1 base score of 8.8 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H from NIST, while CISA-ADP assessed it with a score of 7.5 (High) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability could allow a remote attacker to potentially exploit heap corruption through a specially crafted HTML page, potentially leading to arbitrary code execution with the same privileges as the Chrome browser process. Given the high CVSS scores and impact ratings for confidentiality, integrity, and availability, successful exploitation could have significant consequences for affected systems (NVD).

Google has addressed this vulnerability in Chrome version 128.0.6613.113 and later. Users are advised to update their Chrome browsers to the latest version. The fix has been rolled out for Windows, Mac, and Linux platforms (Chrome Release).