Recently, Google patched a critical browser vulnerability: CVE-2024-4058. This bug allowed remote attackers to execute code on your system by exploiting a flaw in ANGLE (the graphics backend used by Chrome), leading to heap corruption. In this post, we’ll walk through what this means, how the exploit works—even showing simple code snippets and linking to direct sources.

Patched Version: 124..6367.78

- Type of Vulnerability: Type Confusion / Heap Corruption

Fixed: April 2024

This issue is especially dangerous. A type confusion in the ANGLE library means objects in memory could be mistaken for other objects, leading to memory being read or written incorrectly. Attackers can craft webpages to control memory layouts, leading to potential arbitrary code execution.

> “Type confusion bugs let attackers lie to the software about what kind of thing they're manipulating, causing memory to be referenced out of order.”
— simplified

Chromium Bug:

https://bugs.chromium.org/p/chromium/issues/detail?id=329054584

Release Notes:

Chrome 124 release update

NVD Details:

https://nvd.nist.gov/vuln/detail/CVE-2024-4058

Why is ANGLE Important?

ANGLE is a graphics translation layer. Chrome uses it to run WebGL (3D graphics in your browser). Any flaw here can be triggered by drawing commands in HTML5/JS, making this bug reachable by just visiting a webpage.

How the Exploit Happens (Simple Terms)

1. Craft a Malicious HTML Page: The attacker creates a web page that runs JavaScript, triggering specific WebGL code paths.
2. Trigger Type Confusion: Through carefully chosen WebGL API uses, memory gets confused—an object is treated as a different, larger, or incompatible type.
3. Heap Corruption: The browser writes or reads out-of-bounds memory, which may corrupt control data structures in the process heap.
4. Arbitrary Code Execution: If the attacker can control *what* memory is written, they can then hijack program execution (e.g., by overwriting function pointers).

Code Example: WebGL Trigger

The exact exploit code is not public (it’s too dangerous). But to demonstrate, here’s a conceptual snippet showing how engineered WebGL calls could trigger a graphics library bug:

<!DOCTYPE html>
<html>
<body>
<canvas id="canvas"></canvas>
<script>
var canvas = document.getElementById("canvas");
var gl = canvas.getContext("webgl");
// Step 1: Generate fuzzed/malformed shader code
var vertexShader = gl.createShader(gl.VERTEX_SHADER);
gl.shaderSource(vertexShader, "attribute vec4 position; void main() { gl_Position = position; }");
gl.compileShader(vertexShader);

var fragShader = gl.createShader(gl.FRAGMENT_SHADER);
// 'gl_FragColor' with weird data (triggering UAF or buffer overflow in shader compilation)
gl.shaderSource(fragShader, "void main() { gl_FragColor = vec4(1e30); }");
gl.compileShader(fragShader);

// Step 2: Attach to fake program
var program = gl.createProgram();
gl.attachShader(program, vertexShader);
gl.attachShader(program, fragShader);

// Step 3: Trigger rendering paths
gl.linkProgram(program);
gl.useProgram(program);

// Step 4: Draw with malicious attributes
gl.drawArrays(gl.TRIANGLE_STRIP, , 10000);
</script>
</body>
</html>

This code is *benign*, but attackers can fuzz the shader code, vertex attributes, and GL states in crazy ways to push ANGLE into confusion.

Exploit Details: Behind the Scenes

Attackers analyze ANGLE’s codebase looking for type confusion instances, such as confusing class pointers or object destruction. Old bugs show that renderer calls with mismatched buffer types, or mistaken clean-up of certain WebGL objects, can trigger this.

Step 2: Use type confusion to cause Chrome to free the wrong object.

- Step 3: Heap is in a corrupted state; next allocation matches freed space—giving partial attacker control.

Step 4: Overwrite critical structures, steering execution to injected shellcode.

This is why Google rates the bug critical: a web page can take over your computer.

Patch Details

Chrome 124..6367.78 fixes this bug by tightening type checks and adding extra validation before ANGLE accesses memory.

If you haven't updated Chrome/etc. past this version, do it now!

Open Chrome

- Go to chrome://settings/help

Conclusion

CVE-2024-4058 is a major reminder to keep your browser updated. Type confusion bugs like this in ANGLE can let attackers hack your device just by you visiting a website.

References for deeper reading

- Chromium Security Page
- How ANGLE Works

Stay safe and keep those patches timely!

*This post is exclusive: original explanations and code examples for educational purposes only.*

Timeline

Published on: 05/01/2024 13:15:52 UTC
Last modified on: 06/07/2024 15:40:49 UTC