CVE-2024-11920 - How a Chrome Memory Bug Opened the Door for Hackers on Mac

In early 2024, Google's Chrome browser for macOS faced a critical security flaw identified as CVE-2024-11920. This vulnerability, rooted in the "Dawn" graphics abstraction layer, could allow remote attackers to execute out-of-bounds memory access and potentially hijack a user's Mac via a specially crafted HTML page. In plain English: just visiting the wrong webpage could let hackers run code on your machine.

This post will break down what happened, how the bug works, and what you can do about it—with easy-to-understand code snippets and all the important links.

What is Dawn, Anyway?

Dawn is an open-source library used in Chromium (the core of Chrome) to implement WebGPU, a technology that lets web pages access your graphics card for more complex visuals. Think of it as a bridge between the web and your GPU.

The Bug Explained Simply

In Chrome releases before 130..6723.92 on Mac, Dawn didn’t properly check some memory boundaries. This made it possible for a cunning attacker, through a carefully-designed web page, to trick Chrome into reading or writing outside the area of memory it’s supposed to use—what’s called an "out-of-bounds" access.

Why is this dangerous? Making the browser manipulate memory like this can crash Chrome (best-case scenario) or, worse, can let hackers run their own malicious code.

What an Exploit Could Look Like

Below is a simplified code snippet (for educational purposes!) showing how a malicious page might exploit this. Note: The real exploit would be far more complex, but this gives a glimpse of the concept:

<script>
  // WebGPU Setup (Works on Chrome if enabled)
  async function triggerBug() {
    // Request GPU device
    const adapter = await navigator.gpu.requestAdapter();
    const device = await adapter.requestDevice();
    
    // Create a buffer with intentionally wrong size to mimic overflow
    const buffer = device.createBuffer({
      size: xFFFFFFF, // Super large, not properly checked in old Dawn
      usage: GPUBufferUsage.COPY_DST | GPUBufferUsage.MAP_WRITE,
      mappedAtCreation: true
    });

    // Try to write data outside the intended bounds
    const arrayBuffer = buffer.getMappedRange();
    let fakeData = new Uint8Array(arrayBuffer);
    for(let i = ; i < fakeData.length; i++) {
      fakeData[i] = x41; // Fill with 'A's, potentially way beyond limits
    }
    buffer.unmap();
  }
  triggerBug();
</script>

Note: In real attacks, the buffer size and usage would be carefully crafted to poke at Dawn's vulnerability and leverage the out-of-bounds write/read to take control.

How Google Fixed It

After researchers reported this flaw (see references below), Google patched Chrome in version 130..6723.92 for Mac. They added robust checks to prevent Dawn from allowing buffer overflows.

Should You Be Worried?

If your Chrome is up to date, you’re safe.
If you skipped updates, or run legacy versions (“just because it works better!”), stop and upgrade now.

To check your version:

The Technical Details—Writeups and References

- Chromium Security Advisory, High Severity (CVE-2024-11920)
- CVE Details: CVE-2024-11920
- Project Dawn GitHub
- Chromium WebGPU (Dawn) Source
- How Out-of-Bounds Exploits Work (MDN)

Stay safe, and don’t be shy to update!

*Written exclusively for the knowledge-hungry, by your browser security advocate.*

Timeline

Published on: 11/14/2025 03:15:55 UTC
Last modified on: 11/17/2025 12:25:29 UTC