CVE-2024-21640 - Vulnerability Details - OpenCVE

Description

Chromium Embedded Framework (CEF) is a simple framework for embedding Chromium-based browsers in other applications.`CefVideoConsumerOSR::OnFrameCaptured` does not check `pixel_format` properly, which leads to out-of-bounds read out of the sandbox. This vulnerability was patched in commit 1f55d2e.

Published: 2024-01-13

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

chromiumembedded

cef

affected

Version	Status	Constraints
`< commit 1f55d2e`	affected	—

Configuration 1 [-]

cpe:2.3:a:chromiumembedded:chromium_embedded_framework:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-19278	Chromium Embedded Framework (CEF) is a simple framework for embedding Chromium-based browsers in other applications.`CefVideoConsumerOSR::OnFrameCaptured` does not check `pixel_format` properly, which leads to out-of-bounds read out of the sandbox. This vulnerability was patched in commit 1f55d2e.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00246.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/chromiumembedded/cef/commit/1f55d2e12f62cfdfbf9da6968fde2f928982670b
https://github.com/chromiumembedded/cef/security/advisories/GHSA-3h3j-38xq-v7hh

History

No history.

Subscriptions

Chromiumembedded Chromium Embedded Framework

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-13T07:40:10.324Z

Updated: 2025-06-17T21:09:22.073Z

Reserved: 2023-12-29T03:00:44.957Z

Link: CVE-2024-21640

Vulnrichment

No data.

NVD

Status : Modified

Published: 2024-01-13T08:15:07.340

Modified: 2024-11-21T08:54:46.913

Link: CVE-2024-21640

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-125

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21640", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-12-29T03:00:44.957Z", "datePublished": "2024-01-13T07:40:10.324Z", "dateUpdated": "2025-06-17T21:09:22.073Z"}, "containers": {"cna": {"title": "OOB Access in CefVideoConsumerOSR::OnFrameCaptured", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/chromiumembedded/cef/security/advisories/GHSA-3h3j-38xq-v7hh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/chromiumembedded/cef/security/advisories/GHSA-3h3j-38xq-v7hh"}, {"name": "https://github.com/chromiumembedded/cef/commit/1f55d2e12f62cfdfbf9da6968fde2f928982670b", "tags": ["x_refsource_MISC"], "url": "https://github.com/chromiumembedded/cef/commit/1f55d2e12f62cfdfbf9da6968fde2f928982670b"}], "affected": [{"vendor": "chromiumembedded", "product": "cef", "versions": [{"version": "< commit 1f55d2e", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-13T07:40:10.324Z"}, "descriptions": [{"lang": "en", "value": "Chromium Embedded Framework (CEF) is a simple framework for embedding Chromium-based browsers in other applications.`CefVideoConsumerOSR::OnFrameCaptured` does not check `pixel_format` properly, which leads to out-of-bounds read out of the sandbox. This vulnerability was patched in commit 1f55d2e.\n\n"}], "source": {"advisory": "GHSA-3h3j-38xq-v7hh", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:35.810Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/chromiumembedded/cef/security/advisories/GHSA-3h3j-38xq-v7hh", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/chromiumembedded/cef/security/advisories/GHSA-3h3j-38xq-v7hh"}, {"name": "https://github.com/chromiumembedded/cef/commit/1f55d2e12f62cfdfbf9da6968fde2f928982670b", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/chromiumembedded/cef/commit/1f55d2e12f62cfdfbf9da6968fde2f928982670b"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21640", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-01-16T16:19:20.541192Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-17T21:09:22.073Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:chromiumembedded:chromium_embedded_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "3DDE5170-AEB5-4EB6-B436-9634C0190E6A", "versionEndExcluding": "2024-01-05", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Chromium Embedded Framework (CEF) is a simple framework for embedding Chromium-based browsers in other applications.`CefVideoConsumerOSR::OnFrameCaptured` does not check `pixel_format` properly, which leads to out-of-bounds read out of the sandbox. This vulnerability was patched in commit 1f55d2e.\n\n"}, {"lang": "es", "value": "Chromium Embedded Framework (CEF) es un framework simple para incrustar navegadores basados en Chromium en otras aplicaciones. `CefVideoConsumerOSR::OnFrameCaptured` no verifica `pixel_format` correctamente, lo que lleva a lecturas fuera de los l\u00edmites fuera de la sandbox. Esta vulnerabilidad fue parcheada en el commit 1f55d2e."}], "id": "CVE-2024-21640", "lastModified": "2024-11-21T08:54:46.913", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 5.8, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-13T08:15:07.340", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/chromiumembedded/cef/commit/1f55d2e12f62cfdfbf9da6968fde2f928982670b"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/chromiumembedded/cef/security/advisories/GHSA-3h3j-38xq-v7hh"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/chromiumembedded/cef/commit/1f55d2e12f62cfdfbf9da6968fde2f928982670b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/chromiumembedded/cef/security/advisories/GHSA-3h3j-38xq-v7hh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Secondary"}]}