Thorium-MacOS
Thorium-MacOS copied to clipboard
Alex313031
VULNERABILITIES/EXPLOITS: 78 CVEs
System Details
- Thorium Version: Latest (
126.0.6478.231)
Problem
Thorium is currently using Chromium 126.0.6478.231 which has 78 associated CVEs:
- Critical:
2 - High:
34 - Medium:
30 - Low:
12
These vulnerabilities range several versions starting at 126.0.6478.231 up to 130.0.6723.58, including several that were news worthy, two of which are referenced in this article:
Additional Notes
A full list of the exploits can be found below:
Table of CVEs from 126.0.6478.231 to 130.0.6723.58
| Name | Description | Version | Severity |
|---|---|---|---|
| CVE-2024-9954 | Use after free in AI in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 130.0.6723.58 | High |
| CVE-2024-9966 | Inappropriate implementation in Navigations in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low) | 130.0.6723.58 | Low |
| CVE-2024-9965 | Insufficient data validation in DevTools in Google Chrome on Windows prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low) | 130.0.6723.58 | Low |
| CVE-2024-9964 | Inappropriate implementation in Payments in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low) | 130.0.6723.58 | Low |
| CVE-2024-9963 | Insufficient data validation in Downloads in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 130.0.6723.58 | Medium |
| CVE-2024-9962 | Inappropriate implementation in Permissions in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 130.0.6723.58 | Medium |
| CVE-2024-9961 | Use after free in ParcelTracking in Google Chrome on iOS prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 130.0.6723.58 | Medium |
| CVE-2024-9960 | Use after free in Dawn in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 130.0.6723.58 | Medium |
| CVE-2024-9959 | Use after free in DevTools in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Medium) | 130.0.6723.58 | Medium |
| CVE-2024-9958 | Inappropriate implementation in PictureInPicture in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 130.0.6723.58 | Medium |
| CVE-2024-9957 | Use after free in UI in Google Chrome on iOS prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 130.0.6723.58 | Medium |
| CVE-2024-9956 | Inappropriate implementation in WebAuthentication in Google Chrome on Android prior to 130.0.6723.58 allowed a local attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium) | 130.0.6723.58 | Medium |
| CVE-2024-9955 | Use after free in WebAuthentication in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 130.0.6723.58 | Medium |
| CVE-2024-9603 | Type Confusion in V8 in Google Chrome prior to 129.0.6668.100 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 129.0.6668.100 | High |
| CVE-2024-9602 | Type Confusion in V8 in Google Chrome prior to 129.0.6668.100 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High) | 129.0.6668.100 | High |
| CVE-2024-9123 | Integer overflow in Skia in Google Chrome prior to 129.0.6668.70 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High) | 129.0.6668.70 | High |
| CVE-2024-9122 | Type Confusion in V8 in Google Chrome prior to 129.0.6668.70 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) | 129.0.6668.70 | High |
| CVE-2024-9121 | Inappropriate implementation in V8 in Google Chrome prior to 129.0.6668.70 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) | 129.0.6668.70 | High |
| CVE-2024-9120 | Use after free in Dawn in Google Chrome on Windows prior to 129.0.6668.70 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 129.0.6668.70 | High |
| CVE-2024-8904 | Type Confusion in V8 in Google Chrome prior to 129.0.6668.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 129.0.6668.58 | High |
| CVE-2024-8909 | Inappropriate implementation in UI in Google Chrome on iOS prior to 129.0.6668.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 129.0.6668.58 | Low |
| CVE-2024-8908 | Inappropriate implementation in Autofill in Google Chrome prior to 129.0.6668.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 129.0.6668.58 | Low |
| CVE-2024-8907 | Insufficient data validation in Omnibox in Google Chrome on Android prior to 129.0.6668.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (XSS) via a crafted set of UI gestures. (Chromium security severity: Medium) | 129.0.6668.58 | Medium |
| CVE-2024-8906 | Incorrect security UI in Downloads in Google Chrome prior to 129.0.6668.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 129.0.6668.58 | Medium |
| CVE-2024-8905 | Inappropriate implementation in V8 in Google Chrome prior to 129.0.6668.58 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page. (Chromium security severity: Medium) | 129.0.6668.58 | Medium |
| CVE-2024-8639 | Use after free in Autofill in Google Chrome on Android prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 128.0.6613.137 | High |
| CVE-2024-8638 | Type Confusion in V8 in Google Chrome prior to 128.0.6613.137 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) | 128.0.6613.137 | High |
| CVE-2024-8637 | Use after free in Media Router in Google Chrome on Android prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 128.0.6613.137 | High |
| CVE-2024-8636 | Heap buffer overflow in Skia in Google Chrome prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 128.0.6613.137 | High |
| CVE-2024-8362 | Use after free in WebAudio in Google Chrome prior to 128.0.6613.119 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 128.0.6613.119 | High |
| CVE-2024-7970 | Out of bounds write in V8 in Google Chrome prior to 128.0.6613.119 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 128.0.6613.119 | High |
| CVE-2024-8198 | Heap buffer overflow in Skia in Google Chrome prior to 128.0.6613.113 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 128.0.6613.113 | High |
| CVE-2024-8194 | Type Confusion in V8 in Google Chrome prior to 128.0.6613.113 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 128.0.6613.113 | High |
| CVE-2024-8193 | Heap buffer overflow in Skia in Google Chrome prior to 128.0.6613.113 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 128.0.6613.113 | High |
| CVE-2024-7969 | Type Confusion in V8 in Google Chrome prior to 128.0.6613.113 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 128.0.6613.113 | High |
| CVE-2024-7971 | Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 128.0.6613.84 | High |
| CVE-2024-7968 | Use after free in Autofill in Google Chrome prior to 128.0.6613.84 allowed a remote attacker who had convinced the user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 128.0.6613.84 | High |
| CVE-2024-7967 | Heap buffer overflow in Fonts in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 128.0.6613.84 | High |
| CVE-2024-7966 | Out of bounds memory access in Skia in Google Chrome prior to 128.0.6613.84 allowed a remote attacker who had compromised the renderer process to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) | 128.0.6613.84 | High |
| CVE-2024-7965 | Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 128.0.6613.84 | High |
| CVE-2024-7964 | Use after free in Passwords in Google Chrome on Android prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 128.0.6613.84 | High |
| CVE-2024-8035 | Inappropriate implementation in Extensions in Google Chrome on Windows prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 128.0.6613.84 | Low |
| CVE-2024-8034 | Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 128.0.6613.84 | Low |
| CVE-2024-8033 | Inappropriate implementation in WebApp Installs in Google Chrome on Windows prior to 128.0.6613.84 allowed an attacker who convinced a user to install a malicious application to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 128.0.6613.84 | Low |
| CVE-2024-7981 | Inappropriate implementation in Views in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 128.0.6613.84 | Low |
| CVE-2024-7980 | Insufficient data validation in Installer in Google Chrome on Windows prior to 128.0.6613.84 allowed a local attacker to perform privilege escalation via a crafted symbolic link. (Chromium security severity: Medium) | 128.0.6613.84 | Medium |
| CVE-2024-7979 | Insufficient data validation in Installer in Google Chrome on Windows prior to 128.0.6613.84 allowed a local attacker to perform privilege escalation via a crafted symbolic link. (Chromium security severity: Medium) | 128.0.6613.84 | Medium |
| CVE-2024-7978 | Insufficient policy enforcement in Data Transfer in Google Chrome prior to 128.0.6613.84 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 128.0.6613.84 | Medium |
| CVE-2024-7977 | Insufficient data validation in Installer in Google Chrome on Windows prior to 128.0.6613.84 allowed a local attacker to perform privilege escalation via a malicious file. (Chromium security severity: Medium) | 128.0.6613.84 | Medium |
| CVE-2024-7976 | Inappropriate implementation in FedCM in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 128.0.6613.84 | Medium |
| CVE-2024-7975 | Inappropriate implementation in Permissions in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 128.0.6613.84 | Medium |
| CVE-2024-7974 | Insufficient data validation in V8 API in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Medium) | 128.0.6613.84 | Medium |
| CVE-2024-7973 | Heap buffer overflow in PDFium in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to perform an out of bounds memory read via a crafted PDF file. (Chromium security severity: Medium) | 128.0.6613.84 | Medium |
| CVE-2024-7972 | Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium) | 128.0.6613.84 | Medium |
| CVE-2024-7023 | Insufficient data validation in Updater in Google Chrome prior to 128.0.6537.0 allowed a remote attacker to perform privilege escalation via a malicious file. (Chromium security severity: Medium) | 128.0.6537.0 | Medium |
| CVE-2024-7532 | Out of bounds memory access in ANGLE in Google Chrome prior to 127.0.6533.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical) | 127.0.6533.99 | Critical |
| CVE-2024-7550 | Type Confusion in V8 in Google Chrome prior to 127.0.6533.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 127.0.6533.99 | High |
| CVE-2024-7536 | Use after free in WebAudio in Google Chrome prior to 127.0.6533.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 127.0.6533.99 | High |
| CVE-2024-7535 | Inappropriate implementation in V8 in Google Chrome prior to 127.0.6533.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 127.0.6533.99 | High |
| CVE-2024-7534 | Heap buffer overflow in Layout in Google Chrome prior to 127.0.6533.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 127.0.6533.99 | High |
| CVE-2024-7533 | Use after free in Sharing in Google Chrome on iOS prior to 127.0.6533.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 127.0.6533.99 | High |
| CVE-2024-6990 | Uninitialized Use in Dawn in Google Chrome on Android prior to 127.0.6533.88 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Critical) | 127.0.6533.88 | Critical |
| CVE-2024-7256 | Insufficient data validation in Dawn in Google Chrome on Android prior to 127.0.6533.88 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 127.0.6533.88 | High |
| CVE-2024-7255 | Out of bounds read in WebTransport in Google Chrome prior to 127.0.6533.88 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) | 127.0.6533.88 | High |
| CVE-2024-6991 | Use after free in Dawn in Google Chrome prior to 127.0.6533.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 127.0.6533.72 | High |
| CVE-2024-6989 | Use after free in Loader in Google Chrome prior to 127.0.6533.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 127.0.6533.72 | High |
| CVE-2024-6988 | Use after free in Downloads in Google Chrome on iOS prior to 127.0.6533.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 127.0.6533.72 | High |
| CVE-2024-7005 | Insufficient validation of untrusted input in Safe Browsing in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a malicious file. (Chromium security severity: Low) | 127.0.6533.72 | Low |
| CVE-2024-7004 | Insufficient validation of untrusted input in Safe Browsing in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a malicious file. (Chromium security severity: Low) | 127.0.6533.72 | Low |
| CVE-2024-7003 | Inappropriate implementation in FedCM in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 127.0.6533.72 | Low |
| CVE-2024-7001 | Inappropriate implementation in HTML in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 127.0.6533.72 | Medium |
| CVE-2024-7000 | Use after free in CSS in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 127.0.6533.72 | Medium |
| CVE-2024-6999 | Inappropriate implementation in FedCM in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 127.0.6533.72 | Medium |
| CVE-2024-6998 | Use after free in User Education in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 127.0.6533.72 | Medium |
| CVE-2024-6997 | Use after free in Tabs in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 127.0.6533.72 | Medium |
| CVE-2024-6996 | Race in Frames in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 127.0.6533.72 | Medium |
| CVE-2024-6995 | Inappropriate implementation in Fullscreen in Google Chrome on Android prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium) | 127.0.6533.72 | Medium |
| CVE-2024-6994 | Heap buffer overflow in Layout in Google Chrome prior to 127.0.6533.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 127.0.6533.72 | Medium |
It will be updated to version 128 soon, and I believe it will fix many vulnerabilities.
Yeah, that'll be great! That'll resolve CVE-2024-7971 and CVE-2024-7965, which I believe are being actively exploited. Unfortunately, it'll still leave some others open, but most of them don't have too high of an EPSS, except for maybe CVE-2024-9954, which has a similar EPSS score to CVE-2024-7971 and CVE-2024-7965
Moving to 128 would leave the following open :+1:
Tables of CVEs from 129.0.6668.58 to 130.0.6723.58
High
| Name | Description | Version | Severity |
|---|---|---|---|
| CVE-2024-9954 | Use after free in AI in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 130.0.6723.58 | High |
| CVE-2024-9603 | Type Confusion in V8 in Google Chrome prior to 129.0.6668.100 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 129.0.6668.100 | High |
| CVE-2024-9602 | Type Confusion in V8 in Google Chrome prior to 129.0.6668.100 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High) | 129.0.6668.100 | High |
| CVE-2024-9123 | Integer overflow in Skia in Google Chrome prior to 129.0.6668.70 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High) | 129.0.6668.70 | High |
| CVE-2024-9122 | Type Confusion in V8 in Google Chrome prior to 129.0.6668.70 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) | 129.0.6668.70 | High |
| CVE-2024-9121 | Inappropriate implementation in V8 in Google Chrome prior to 129.0.6668.70 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) | 129.0.6668.70 | High |
| CVE-2024-9120 | Use after free in Dawn in Google Chrome on Windows prior to 129.0.6668.70 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 129.0.6668.70 | High |
| CVE-2024-8904 | Type Confusion in V8 in Google Chrome prior to 129.0.6668.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 129.0.6668.58 | High |
| CVE-2024-8639 | Use after free in Autofill in Google Chrome on Android prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 128.0.6613.137 | High |
Medium
| Name | Description | Version | Severity |
|---|---|---|---|
| CVE-2024-9963 | Insufficient data validation in Downloads in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 130.0.6723.58 | Medium |
| CVE-2024-9962 | Inappropriate implementation in Permissions in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 130.0.6723.58 | Medium |
| CVE-2024-9961 | Use after free in ParcelTracking in Google Chrome on iOS prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 130.0.6723.58 | Medium |
| CVE-2024-9960 | Use after free in Dawn in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 130.0.6723.58 | Medium |
| CVE-2024-9959 | Use after free in DevTools in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Medium) | 130.0.6723.58 | Medium |
| CVE-2024-9958 | Inappropriate implementation in PictureInPicture in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 130.0.6723.58 | Medium |
| CVE-2024-9957 | Use after free in UI in Google Chrome on iOS prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 130.0.6723.58 | Medium |
| CVE-2024-9956 | Inappropriate implementation in WebAuthentication in Google Chrome on Android prior to 130.0.6723.58 allowed a local attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium) | 130.0.6723.58 | Medium |
| CVE-2024-9955 | Use after free in WebAuthentication in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 130.0.6723.58 | Medium |
| CVE-2024-8907 | Insufficient data validation in Omnibox in Google Chrome on Android prior to 129.0.6668.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (XSS) via a crafted set of UI gestures. (Chromium security severity: Medium) | 129.0.6668.58 | Medium |
| CVE-2024-8906 | Incorrect security UI in Downloads in Google Chrome prior to 129.0.6668.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 129.0.6668.58 | Medium |
| CVE-2024-8905 | Inappropriate implementation in V8 in Google Chrome prior to 129.0.6668.58 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page. (Chromium security severity: Medium) | 129.0.6668.58 | Medium |
Low
| Name | Description | Version | Severity |
|---|---|---|---|
| CVE-2024-9966 | Inappropriate implementation in Navigations in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low) | 130.0.6723.58 | Low |
| CVE-2024-9965 | Insufficient data validation in DevTools in Google Chrome on Windows prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low) | 130.0.6723.58 | Low |
| CVE-2024-9964 | Inappropriate implementation in Payments in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low) | 130.0.6723.58 | Low |
| CVE-2024-8909 | Inappropriate implementation in UI in Google Chrome on iOS prior to 129.0.6668.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 129.0.6668.58 | Low |
| CVE-2024-8908 | Inappropriate implementation in Autofill in Google Chrome prior to 129.0.6668.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 129.0.6668.58 | Low |
Heya @Alex313031,
There are some more exploits that were found targeting 130, 131, and below in October and November since the original post with some relatively high CVSSs (most are ~8.8 CVSS):
Keep up the great work. We believe in you! :rocket:
@Swivelgames @khaledh Working as fast as we can. Its crashing.
Still crashing? Are you working with 131, 132, 133, or 134 right now?
Alex is on it and doing as much as possible.
Please be patient and/or use another browser in the meantime.
That didn't answer either question, but thanks for the response I suppose.
I'd like to provide some context. Maybe not necessarily to quell any valid concerns (chief among them are the reason I initially created this issue ticket; namely, the two actively exploited vulnerabilities, and additional vulnerabilities that have the potential to become actively exploited in the near future), but maybe to put the large lists in this issue ticket into a "less scary" perspective.
Today, Google released a new version of Chrome stable.
Presently, we have the following versions table:
| Browser | Version | Chrome Stable Release Date |
|---|---|---|
| Chrome (Canary) | 134.0.6963.0 |
UNSTABLE |
| Chrome (Stable) | 132.0.6834.94 |
2025/01/17 |
| Chrome (LTS-126) | 126.0.6478.261 |
2025/01/08 |
| Thorium (macOS) | 126.0.6478.231 |
2024/06/11 |
| Brave | 132.0.6834.83 |
2025/01/14 |
| Vanadium | 132.0.6834.79.2 |
2025/01/14 |
| ungoogled-chromium | 131.0.6778.264-1 |
2025/01/07 |
| Iridium | 131.0.6778.85 |
2025/01/07 |
It's my understanding that Thorium is a mixture of major in-house optimizations, and patches from projects like ungoogled-chromium, Vanandium, Brave, Iridium, and a laundry list of other sources.
The effort to effectively modify and reapply all of these patches from such a massive list of sources is very large.
What this means is that, without the manual work that is done to bring make these patches compatible with the latest version of stable Chrome, Thorium is only able to upgrade Thorium to the most recent version of the oldest patch that it relies on, unless the decision is made to drop the specific patch if its determined that the gains do not justify the effort in adopting the patch going forward.
While CVEs are announced at a relatively high frequency, it's worth noting that CISA's KEV Catalog still only lists two CVEs as actively exploited since Chromium 126 was released:
- CVE-2024-7965
- CVE-2024-7971
No other CVEs listed here in this issue or elsewhere are known as being actively exploited in the wild at the time of writing this. Many CVEs that get reported, in fact, are technically vulnerabilities, but the circumstances required to actually exploit them are so improbable that it makes them almost entirely impractical to reliably exploit them in the wild.
That being said, as much as I've sung Thorium's praises over the years in my inner circles, I've recently switched away from Thorium until it can be updated to a more appropriate version more regularly. ❤
I'll eagerly await an update from @Alex313031 when he has one!
@Alex313031 the dedication and time you put into making the browser I love is beyond what we could ask. Those of us who use this browser do so because we believe in its value. I will keep using it as long as I can but the security of my machines have to be at the up most importance. With browser extensions becoming a very effective breach point having the most recent security patches become ever more important. I have faith in this browser and you and your team. If there is anything I can do to actively contribute to its success please let me know. I look forward to the next version!!!!
Just got the v130 update for Thorium Linux 🎉
Awesome work! 🚀
For those interested, here's an updated versions table:
| Browser | Version | Chrome Stable Release Date |
|---|---|---|
| Chrome (Canary) | 135.0.7008.1 |
UNSTABLE |
| Chrome (Stable) | 133.0.6943.53 |
2025/02/04 |
| Chrome (LTS-126) | 126.0.6478.264 |
2025/02/07 |
| Thorium (macOS) | 126.0.6478.231 |
2024/06/11 |
| Thorium (Linux) | 130.0.6723.174-1 |
2025/02/09 |
| Brave | 133.0.6943.54 |
2025/02/06 |
| Vanadium | 133.0.6943.49.0 |
2025/02/04 |
| ungoogled-chromium | 133.0.6943.53-1 |
2025/02/07 |
| Iridium | 131.0.6778.85 |
2024/11/26 |
Based on previous releases, as long as macOS doesn't continue to have stability issues, we might be able to hopefully see macOS version updated in the next week (all speculation on my part, of course).
Glad to see the new version available on Linux, though, which is my primary OS 🎉