CVE CyberSecurity Database News

CVE-2024-4331 - Exploiting a Use-After-Free in Google Chrome's Picture-in-Picture (PiP)

Poster -

Google Chrome is one of the most widely used web browsers, known for its speed and security. Yet, like any complex software, it sometimes contains serious vulnerabilities. One such issue, CVE-2024-4331, was discovered in Chrome’s Picture-in-Picture (PiP) feature and patched in version 124..6367.118. The bug allowed remote attackers to potentially exploit heap corruption with just a specially crafted HTML page. In this post, we break down how this bug works, its impact, and, for research purposes, show an example of how this class of bug is triggered.

What is CVE-2024-4331?

CVE-2024-4331 is a "use-after-free" vulnerability in the Picture-in-Picture implementation of Chrome. Use-after-free bugs happen when a program continues to use a piece of memory after it’s been freed (released). Attackers can sometimes exploit this to run code or crash the program.

Official Description

> Use after free in Picture In Picture in Google Chrome prior to 124..6367.118 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

- NVD Entry
- Chromium Issue Tracker

The Picture-in-Picture (PiP) Feature

Picture-in-Picture lets you pop out videos from a tab into a floating, always-on-top window. Under the hood, PiP manages its own JavaScript objects and UI. Bugs here can affect how Chrome manages memory for video elements.

A web page plays a video and triggers Picture-in-Picture mode through JavaScript.

2. The attacker’s crafted HTML/JS repeatedly attaches and detaches event handlers, or rapidly destroys and re-attaches video elements while the PiP window is active.
3. Due to a lifecycle bug, Chrome frees the video (or related handler) in memory even though it’s still referenced internally.
4. When Chrome later tries to access the freed object (because of an event or redraw), this can corrupt memory on the heap – which is potentially exploitable.

Code Snippet: Minimal Proof of Concept

Here’s a basic HTML sample that demonstrates the kind of operations that can expose a use-after-free like CVE-2024-4331. This does NOT exploit the bug but shows the type of rapid create/destroy process used in real exploits.

<!DOCTYPE html>
<html>
<body>
<video id="v" src="video.mp4" controls autoplay></video>
<script>
let pipWindow = null;
async function triggerPiP() {
    let video = document.getElementById('v');
    try {
        await video.requestPictureInPicture();
        // Rapidly remove and re-add video
        for (let i = ; i < 100; i++) {
            video.remove();
            document.body.appendChild(video);
        }
        // Simulate detaching handlers or elements
        video.onleavepictureinpicture = null;
    } catch (e) {
        console.error(e);
    }
}
triggerPiP();
</script>
</body>
</html>

WARNING: Exploiting vulnerabilities is illegal without authorization. This code is for educational purposes only.

Triggering PiP rapidly while layout, event, or garbage collection happens.

- Gaining control of what’s written/read when freed memory is re-used.

Researchers demonstrated that a crafted HTML page could crash Chrome and, with advanced techniques, potentially execute code with the browser's permissions. As of the disclosure, there’s no public evidence of this being used in the wild.

Responsible Reporting

- Chromium security team fixed the bug in version 124..6367.118.

References

- NVD: CVE-2024-4331
- Chromium Security Release Notes
- Chrome Picture-in-Picture Documentation
- Vulnerability Class: Use-After-Free

What Should You Do?

- Update Chrome to the latest version. Go to chrome://settings/help to force an update.

Final Word

CVE-2024-4331 is a reminder that even robust browsers like Chrome can have dangerous memory-related bugs in modern features like PiP. Thanks to Chrome’s quick response, most users are now protected. If you manage browsers or write web-facing code, stay on top of updates, and never run old versions for real browsing.

Stay safe, and keep your software updated!

*This post is based on public advisories and our own research. For questions or concerns, contact your vendor or refer to the official references above.*

Timeline

Published on: 05/01/2024 13:15:52 UTC
Last modified on: 07/03/2024 02:07:25 UTC