CVE-2024-5836

HIGH

Google Chrome < 126.0.6478.54 - Arbitrary Code Execution via Malicious Extension in DevTools

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-5836. PoCs published by ading2210.

AI-analyzed exploit summary This repository contains functional proof-of-concept exploits for CVE-2024-5836 and CVE-2024-6778, which are Chromium vulnerabilities allowing sandbox escape from a browser extension. The exploits demonstrate arbitrary JavaScript execution on privileged WebUI pages and a full sandbox escape via policy manipulation.

Description

Inappropriate Implementation in DevTools in Google Chrome prior to 126.0.6478.54 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: High)

Exploits (1)

github WORKING POC 97 stars
by ading2210 · javascriptpoc
https://github.com/ading2210/CVE-2024-6778-POC

This repository contains functional proof-of-concept exploits for CVE-2024-5836 and CVE-2024-6778, which are Chromium vulnerabilities allowing sandbox escape from a browser extension. The exploits demonstrate arbitrary JavaScript execution on privileged WebUI pages and a full sandbox escape via policy manipulation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Chromium < 126.0.6478.54
No auth needed
Prerequisites: Victim must have a vulnerable version of Chromium installed · Attacker must be able to install a malicious extension
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 8.8
EPSS 0.0047
EPSS Percentile 37.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-474
Status published
Products (3)
fedoraproject/fedora 39
fedoraproject/fedora 40
google/chrome < 126.0.6478.54
Published Jun 11, 2024
Tracked Since Feb 18, 2026