CVE-2024-9957: 
vulnerability analysis and mitigation

A use-after-free vulnerability in the UI component of Google Chrome on iOS (CVE-2024-9957) was discovered prior to version 130.0.6723.58. The vulnerability was reported by security researchers lime(@limeSec_) and fmyy(@binary_fmyy) from TIANGONG Team of Legendsec at QI-ANXIN Group on August 8, 2024. Google classified this as a Medium severity issue and awarded a $5,000 bounty for the discovery (Chrome Release).

The vulnerability is classified as a Use After Free (CWE-416) issue affecting the UI components of Google Chrome on iOS. It received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating a high-severity vulnerability that requires user interaction but can lead to significant impact on confidentiality, integrity, and availability (NVD).

If successfully exploited, the vulnerability could allow a remote attacker to potentially exploit heap corruption through a crafted HTML page, leading to high impacts on system confidentiality, integrity, and availability. The attack requires user interaction in the form of specific UI gestures (NVD).

The vulnerability has been patched in Google Chrome version 130.0.6723.58 for iOS. Users are advised to update their Chrome browsers to this version or later to mitigate the risk. The fix has also been incorporated into various products including Prisma Access Browser version 130.59.2920.7 and later versions (Palo Alto).