CVE-2024-12381

HIGH

Google Chrome < 131.0.6778.139 - Type Confusion in V8 via Crafted HTML Page

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-12381. PoCs published by FatfishIO, manus-use.

AI-analyzed exploit summary The repository contains a WebAssembly-based exploit for CVE-2024-12381, leveraging a JavaScript payload to trigger the vulnerability. The exploit includes a WASM module builder and appears to target a browser or JavaScript engine vulnerability.

Description

Type Confusion in V8 in Google Chrome prior to 131.0.6778.139 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Exploits (2)

nomisec WORKING POC

by FatfishIO · poc

https://github.com/FatfishIO/CVE-2024-12381-PoC

View Code ZIP pw:eip

The repository contains a WebAssembly-based exploit for CVE-2024-12381, leveraging a JavaScript payload to trigger the vulnerability. The exploit includes a WASM module builder and appears to target a browser or JavaScript engine vulnerability.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Complex

Reliability

Theoretical

Target: Unknown (likely a browser or JavaScript engine)

No auth needed

Prerequisites: Victim must visit a malicious webpage or execute the JavaScript payload

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 11, 2026 Full analysis →

github WORKING POC

by manus-use · postscriptpoc

https://github.com/manus-use/cve-pocs/tree/main/chrome-CVE-2024-12381

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2024-12381, targeting a Chrome vulnerability. The PoC includes a JavaScript file (`poc.js`) designed to exploit the vulnerability, along with other PoCs for different CVEs, demonstrating a collection of working exploits.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Google Chrome

No auth needed

Prerequisites: Target running vulnerable version of Chrome

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory

https://chromereleases.googleblog.com/2024/12/stable-channel-update-for-desktop_10.html

Permissions Required

https://issues.chromium.org/issues/381696874

Scores

CVSS v3 8.8

EPSS 0.0663

EPSS Percentile 91.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-843

Status published

Products (1)

google/chrome < 131.0.6778.139

Published Dec 12, 2024

Tracked Since Feb 18, 2026