Chromium Vulnerabilities Addressed in Debian 12 “Bookworm”

Rohan Timalsina

March 26, 2024 - TuxCare expert team

Chromium is the open-source browser project that powers popular browsers like Google Chrome and Microsoft Edge. Users of Chromium browsers on Debian 12 “Bookworm” should be aware of recently discovered security vulnerabilities. These vulnerabilities could potentially allow attackers to compromise your system if exploited. The good news is that the Debian security team has released updates, aiming to address these vulnerabilities and safeguard user systems.

Overview of Chromium Vulnerabilities

The vulnerabilities reside in Chromium versions prior to 122.0.6261.128, 122.0.6261.111, and 122.0.6261.94, and affect various components like Performance Manager, V8 engine, and FedCM. These vulnerabilities fall under the category of “High” severity according to Chromium’s security rating system.

One of the critical vulnerabilities identified is CVE-2024-2400, which involves a “use after free” issue in the Performance Manager of Google Chrome prior to version 122.0.6261.128. This flaw could allow a remote attacker to exploit heap corruption through a crafted HTML page, potentially leading to the execution of arbitrary code with elevated privileges. The severity of this vulnerability is classified as high, underlining the urgency of applying the necessary security updates.

Another significant vulnerability is CVE-2024-2173, which pertains to an “out of bounds memory access” issue in the V8 JavaScript engine of Google Chrome prior to version 122.0.6261.111. Through a specially crafted HTML page, a remote attacker could exploit this flaw to perform unauthorized memory access beyond the bounds of allocated memory.

CVE-2024-2174 highlights an inappropriate implementation issue within the V8 JavaScript engine, also present in Google Chrome prior to version 122.0.6261.111. This vulnerability could be exploited by a remote attacker to trigger heap corruption via a crafted HTML page, posing a significant security risk to users’ systems and data. Similarly, CVE-2024-2176 involves a “use after free” vulnerability in the FedCM component of Google Chrome, potentially leading to heap corruption through crafted HTML pages.

In addition to these vulnerabilities, CVE-2024-1938 and CVE-2024-1939 highlight type confusion issues within the V8 JavaScript engine, present in Google Chrome versions prior to 122.0.6261.94. These vulnerabilities could be exploited by remote attackers to potentially exploit object corruption and heap corruption, respectively, by leveraging crafted HTML pages.

Staying Secure: Upgrading Chromium on Debian

To ensure your system remains secure, it is essential to upgrade your Chromium package to the latest version. This update will patch the Chromium vulnerabilities mentioned above and safeguard your system from potential attacks.

Upgrading software packages on Debian is a straightforward process. You can use the default package manager, apt, to update Chromium. Here’s an example command using apt:

sudo apt update && sudo apt upgrade chromium

This command will update the package lists and then upgrade Chromium to the latest version available in the Debian repositories.

Conclusion

By keeping your Chromium browser up-to-date, you can significantly reduce the risk of falling victim to these vulnerabilities. Remember, it’s always a good practice to stay informed about security updates and apply them promptly to maintain a secure computing environment.

TuxCare’s KernelCare Enterprise offers a live kernel patching solution for all popular Linux distributions, including Debian, Ubuntu, CentOS, AlmaLinux, Rocky Linux, RHEL, Oracle Linux, and more. It automatically applies security patches on your running kernel without needing a system reboot or maintenance windows. Learn more about how live patching works with KernelCare Enterprise.

Source: Debian Security Advisories

Summary