A serious security flaw, tracked as CVE-2024-6103, was recently found and fixed in Google Chrome, specifically in the Dawn component. This bug is a *use-after-free* vulnerability that existed in Chrome versions prior to 126..6478.114. It could let a remote attacker trigger heap corruption just by getting you to visit a crafted HTML page.
This post explains what happened, why it’s dangerous, how attackers could exploit it, and what you should do. We’ll go step by step, include code snippets and plain language, and link to all original sources.
What Is Dawn in Chrome?
Dawn is Chrome’s implementation of WebGPU—an API for modern graphics and computation on the Web. WebGPU is starting to replace older APIs like WebGL, and as with any new tech, bugs crop up.
What Is a Use-After-Free?
A *use-after-free* happens when code tries to use (read/write) memory after it has been released (freed). If an attacker can control what data is in that piece of memory, they can corrupt data, crash the browser, or run code.
The Vulnerability: CVE-2024-6103
In simple terms: Chrome failed to handle memory correctly in the Dawn module, leading to a use-after-free condition.
According to the Chromium bug tracker (now restricted for security), a flaw in the way Dawn handled GPU resources meant that a webpage could trigger Chrome to reuse memory after it had been freed. An attacker could potentially exploit this to corrupt the heap, which is a way to gain control or crash the browser.
Official Security Report
- CVE page: Chromium Security Advisories: CVE-2024-6103
- Release notes: Chrome Stable Channel Update for Desktop
- Bug entry: Chromium 3352671 (restricted)
Attack Scenario
A remote attacker could convince a target to open a specially crafted webpage. The page triggers JavaScript that uses the WebGPU API in specific ways to trigger the use-after-free.
Here’s a simplified concept of how an exploit might look, with some guesswork based on public patches and typical UAF exploitation:
// Pseudo-proof-of-concept for illustration
// Create a WebGPU device using Dawn
const adapter = await navigator.gpu.requestAdapter();
const device = await adapter.requestDevice();
// Function that triggers resource allocation and freeing
function triggerUseAfterFree() {
let buffer = device.createBuffer({
size: 1024,
usage: GPUBufferUsage.MAP_WRITE | GPUBufferUsage.COPY_DST
});
// Release the buffer (this is simplified)
buffer.destroy();
// Immediately attempt another operation that could reference the freed buffer
// In reality, exploit specifics would target destructor timing
device.createBuffer({size: 1024, usage: GPUBufferUsage.MAP_WRITE});
}
triggerUseAfterFree();
// Attacker would fill the heap with controllable data here
Note: The actual exploit would require careful manipulation, often using heap spraying or repeated allocation/free cycles to control the heap layout, and might further try to execute code via ROP or similar techniques.
Severity: High (Chromium rating)
What Happened Behind the Scenes?
The vulnerability was reported by external researchers. Within days, the Chrome team patched the bug, releasing the fix as part of version 126..6478.114 (release notes). The specific details of the fix are not public for user safety, but it fundamentally prevents the reused pointer scenario in Dawn's memory management.
How Do You Protect Yourself?
1. Update Chrome:
If your Chrome browser is *before* version 126..6478.114, you are at risk. Go to Menu > Help > About Google Chrome — it should update automatically.
2. Other Browsers:
Because Chromium powers many browsers (like Edge, Brave, Opera), make sure you keep all Chromium-based browsers updated!
3. Be cautious:
This bug could be triggered by a simple web page, so only browse trusted sites and be wary of suspicious links.
References
- Chrome Stable Channel Update – June 13, 2024
- NIST NVD: CVE-2024-6103
- Dawn: Chrome's WebGPU implementation
- WebGPU documentation
- OWASP: Use After Free
Conclusion
CVE-2024-6103 is a textbook example of why low-level memory bugs continue to be a huge security risk, especially as browsers introduce new features like WebGPU. Always keep your browser updated, and remember that memory corruption bugs can often be exploited remotely with nothing but a crafted HTML page.
Timeline
Published on: 06/20/2024 00:15:10 UTC
Last modified on: 07/03/2024 02:09:43 UTC