CVE-2024-10487 - Critical Out-of-Bounds Write in Dawn (Google Chrome) Explained with Exploit Details

---

June 2024 — Security researchers have uncovered a serious vulnerability in Google Chrome's graphics subsystem, Dawn. Before version 130..6723.92, a flaw known as CVE-2024-10487 could let remote attackers exploit Chrome by tricking users into visiting a malicious webpage. This flaw makes it possible for attackers to write out of bounds in memory—potentially taking control of the browser or stealing data. Let's break down what this means, walk through the vulnerability, see how an attacker could exploit it, and learn how you can stay safe.

What is Dawn in Chrome?

Dawn is a graphics library used by Chrome to support WebGPU, the technology that lets web pages access the computer's graphics processor (GPU) for fast graphics and game engines. Since Dawn runs close to the system's hardware, bugs in its code can be dangerous.

Patch: Fixed in 130..6723.92+

The issue comes from improper bounds checking in the way Dawn handles certain GPU buffers, leading to out-of-bounds memory writes.

What does “out-of-bounds write” mean?
It means the software writes data past the end of a fixed-size buffer in memory. This can overwrite important data, cause crashes, or let attackers run their own code.

Crafting the Malicious Web Page:

Attackers build a page using advanced WebGPU JavaScript to create specially-shaped buffers and commands that trip up Dawn’s memory handling code.

Triggering the Bug:

When a user visits the page, their Chrome browser builds a GPU command buffer using Dawn. The bug makes Chrome write GPU data beyond safe memory bounds.

3. Memory Corruption / Code Execution:

Steal sensitive memory contents (confidentiality)

- Take over the browser process (run arbitrary code!), likely escaping the browser sandbox if chained with further exploits

Example: Vulnerable Pattern (Pseudocode)

While Google hasn’t published the full flawed code, here’s a simplified version of what goes wrong:

// (In Dawn's buffer management code: vulnerable function)
void WriteBuffer(uint32_t* buffer, uint32_t length, uint32_t* data, uint32_t dataLen) {
    for (uint32_t i = ; i < dataLen; ++i) {
        buffer[i] = data[i]; // Missing check: is i < length?
    }
}

// Attacker causes dataLen > length, leading to write outside buffer!

In JavaScript (Attacker's WebGPU code)

const gpuBuffer = device.createBuffer({
  size: 32,
  usage: GPUBufferUsage.COPY_DST | GPUBufferUsage.MAP_WRITE,
  mappedAtCreation: true
});

// Attacker provides more data than buffer size, exploiting lack of checks internally
const array = new Uint32Array(gpuBuffer.getMappedRange());
for (let i = ; i < 50; i++) { // 50 > 32!
  array[i] = x41414141; // Corrupts out-of-bounds memory
}
gpuBuffer.unmap();

Note: These code snippets are for demonstration and WILL NOT work as-is in safe browsers.

Real-World Exploit Example

Security researchers at Project Zero have shown how similar memory safety issues in GPU handling can be weaponized by attackers, often resulting in full code execution. In this case, an attacker could use the out-of-bounds write to manipulate browser memory, hijack execution, or even escape the sandbox when combined with other bugs.

Original References

- NVD Entry for CVE-2024-10487
- Chromium Issue Tracker (Sample)

(Note: Security bugs may be restricted until fixed.)

- Chromium Release Blog for June 2024
- Dawn GitHub

Update Chrome Immediately:

Go to the Chrome menu → Help → About Google Chrome. Update if you're on a version less than 130..6723.92.

Stay on Top of Browser Updates:

All browsers based on Chromium (like Edge, Brave, Opera) may be affected—be sure to update them too.

Conclusion

CVE-2024-10487 is a critical browser bug that allows attackers to corrupt memory just by visiting a malicious web page. With modern browsers tied tightly to system graphics hardware, this kind of bug is particularly dangerous. Always keep your software up to date and stay informed by following trusted security resources.

Stay safe—and always update your browser!

Author's Note:
This content is exclusive. Please refer to the original NVD advisory for official details. For deep dives on browser security and memory vulnerabilities, check out Google Project Zero Blog.

Timeline

Published on: 10/29/2024 22:15:03 UTC
Last modified on: 10/30/2024 14:35:07 UTC