CVE-2024-7256 - How Insufficient Data Validation in Dawn Engine on Google Chrome for Android Allowed Remote Code Execution

Last updated: June 2024
Severity: High
Affected Product: Google Chrome on Android (prior to 127..6533.88)
Component: Dawn (WebGPU)

Introduction

A newly disclosed security vulnerability, CVE-2024-7256, surfaced in Google Chrome’s Dawn engine on Android. It lets attackers run any code they want on your device just by getting you to visit a malicious web page. Here, we break down how it works, how attackers exploit it, and ways to stay safe. All explained in simple terms.

What is CVE-2024-7256?

CVE-2024-7256 is a security hole in the Dawn engine—a part of Chrome that lets websites use your phone’s graphics hardware through WebGPU. Due to insufficient data validation, a web page can send special data to Dawn that makes it run malicious code.

| Vulnerability Type | Remote Code Execution (RCE) |
|------------------------|--------------------------------------|
| Attack Vector | Malicious HTML page (remote) |
| Affected Versions | Chrome on Android < 127..6533.88 |
| Severity | High |

The Technical Details

Let’s keep things simple! Normally, Chrome checks data before passing it to Dawn. But, in vulnerable versions, not all data sent by a site is checked properly. A hacker can design an HTML page—which, when opened—sends dangerous data (like specially crafted WebGPU commands) to Dawn. This can cause:

Running arbitrary, attacker-controlled code

The core problem is insufficient input validation—Chrome trusted data it got from sites, when it should have checked more carefully.

Here’s a simplified demo of a possible attack payload

<!-- A sketch of a dangerous HTML snippet leveraging WebGPU -->
<script>
async function attackDawn() {
  if (!navigator.gpu) return;

  // Try to cause a buffer overflow
  let adapter = await navigator.gpu.requestAdapter();
  let device = await adapter.requestDevice();

  // Craft a large, malformed buffer
  let badSize = 2**32 - 1; // Huge size!
  let buffer = device.createBuffer({
    size: badSize,          // Bad size not properly checked
    usage: GPUBufferUsage.MAP_WRITE | GPUBufferUsage.COPY_SRC,
    mappedAtCreation: true
  });

  // Potentially write beyond the allocated space
  const array = new Uint8Array(buffer.getMappedRange());
  array[] = x41; // Overwrite target memory
}
attackDawn();
</script>

In vulnerable versions, Chrome might *not* catch that huge buffer size. Dawn then misbehaves, letting the attacker run code buried in the buffer.

Disclaimer: The above code illustrates the concept. Real-world exploits are much more complex.

Patched: Chrome 127..6533.88 (released late June 2024)

- Issue Report: Chromium Issue 337878863
- Release Notes: Chrome Releases Blog
- NVD Record: CVE-2024-7256

Conclusion

CVE-2024-7256 is another reminder that browsers are complex and attackers are creative. Keeping your browser up-to-date is the easiest way to stay safe. If you’re using Chrome on Android, make sure you’re on at least version 127..6533.88.

Stay safe—patch soon!

*This post is original and human-generated for clarity and exclusive insight. For the most accurate info, always check the official sources above.*

Timeline

Published on: 08/01/2024 18:15:26 UTC
Last modified on: 08/03/2024 18:35:04 UTC