Google Chrome Out-of-Bounds Read Vulnerability in Media Component Allowing Memory Access

A medium-severity out-of-bounds read vulnerability has been identified in the Media component of Google Chrome, affecting versions prior to 134.0.6998.35. This vulnerability allows remote attackers to potentially access memory out of bounds by exploiting a crafted HTML page. The issue arises from insufficient validation of the 'frame_count' parameter when creating an AudioBuffer from Mojo data, leading to a heap-buffer overflow. This out-of-bounds data can be transmitted back to the renderer process, potentially causing information leakage or further exploitation opportunities.

Impact

Exploitation of this vulnerability causes a heap-buffer overflow, which can lead to memory corruption. In this case, the out-of-bounds data can be sent back to the renderer process after encoding, creating a risk of information leakage or additional exploitation.

Reproduction

The vulnerability can be reproduced by building Google Chrome with specific compilation flags that enable Mojo features. After launching Chrome with these flags, the GPU process can be attached to a debugger. Visiting a specially crafted HTML page triggers the vulnerability, causing a crash that can be observed in the debugger.

Remediation

Users should update to Google Chrome version 134.0.6998.35 or later, where this vulnerability has been fixed.