CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-0808

CVSS 9.8v3.1pub. 2024-01-24upd. 2025-05-30

Integer underflow in WebUI in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially exploit heap corruption via a malicious file. (Chromium security severity: High)

🤖 AI Analysis
How it works

An integer underflow error (CWE-191) in the WebUI module causes an integer value to drop below the acceptable minimum, leading to improper memory operations. As a result, an attacker can trigger heap corruption by delivering a malicious file to the user. Since the attack does not require authentication or user interaction other than opening a file, the attack surface is very broad.

Impact

An attacker may potentially gain full control over the victim's system — the vulnerability provides confidentiality, integrity, and availability at a critical level (C:H/I:H/A:H), which in practice means the possibility of remote code execution (RCE).

Mitigation & patch

Google Chrome should be updated immediately to version 121.0.6167.85 or later. Users of Debian Linux and Fedora distributions should apply package updates in accordance with communications published by these projects (references to fedoraproject.org lists).

Who is affected

Google Chrome in versions earlier than 121.0.6167.85; also affects Chrome/Chromium packages available in Debian Linux and Fedora.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Debian

    OS
    Debian
    11.0
  • Fedora Project Fedora

    OS
    Fedoraproject
    3839
  • Google Chrome

    APP
    Google
    < 121.0.6167.85
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2026-24061CRITICAL9.8⚠ KEVPL ✓ten sam produkt

GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)

CVE-2025-49113CRITICAL9.9⚠ KEVPL ✓ten sam produkt

RCE przez deserializację PHP w Roundcube Webmail (parametr _from)

CVE-2025-32433CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)