ISN 2024-10: Chromium Critical Vulnerability

Updated 25 April 2024 (Chromium App 124.0.6367.60 available)

First published 15 April 2024

CVSS 3.1: 9.8 (critical)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P

Summary

Multiple security vulnerabilities have been found in the Chromium web browser used in IGEL OS. This affects the following IGEL products:

• IGEL OS 12
• IGEL OS 11

Details

Among the issues discovered is a use-after-free in ANGLE, the WebGL component in Chromium. An attacker could abuse it to exploit heap corruption via a crafted HTML page, so this is rated as critical (CVE-2024-2883). Google is aware that an exploit for this vulnerability exists in the wild.

Apart from that, issues rated high have been found: A use-after-free in Dawn (CVE-2024-2885), a use-after-free in WebCodecs (CVE-2024-2886) and a type confusion in WebAssembly (CVE-2024-2887).

Update Instructions

• OS 12: Update to the OS 12 Chromium app version 124.0.6367.60 from the IGEL App Portal.
• OS 11: The IGEL OS Private Build 11.09.268 with Chromium updated to version 123.0.6312.105 is available from IGEL Customer Engineering.

References

• CVE-2024-2883: https://www.cve.org/CVERecord?id=CVE-2024-2883
• Chrome Releases Blog: https://chromereleases.googleblog.com/2024/03/stable-channel-update-for-desktop_26.html