Contents

Docs

General
Provisioning
Work profile
Fully managed
App management
FAQ

Change log

Share this page

CVE-2024-0519, Chrome for Android

Google has recently patched a known and exploited vulnerability in V8, the JavaScript engine. According to NIST:

Out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-0519

Chrome for Android release: https://chromereleases.googleblog.com/2024/01/chrome-for-android-update_0556626765.html

Chrome for desktop release: https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_16.html

This is patched as of Chrome for Android version 120.0.6099.230.

#

It is not stated how this vulnerability directly impacts Android devices, however Chrome for Android does incorporate the patches released prior to the desktop versions, and is therefore reasonable to err on the side of caution.

Due to the nature of the vulnerability, it is recommended EMM admins set Chrome for Android (or equivalent Chromium-based alternatives) app update policy to high priority, this will download and install the Chrome for Android update as soon as possible, ignoring all normal update constraints.

In AMAPI this is done by setting AutoUpdateMode to AUTO_UPDATE_HIGH_PRIORITY, but as labels in EMM platforms are inconsistent, look for settings within an assigned app to set an app specific update mode. Note by doing this, users may experience closures of Chrome while in use, per normal update expectations.

Alternatively, you may consider applying a minimumVersionCode policy with the code 609923033 for version 120.0.6099.230, or 609923133 to bump to version 120.0.6099.231 (a version above that which is patched) however be aware Chrome version codes vary, per Google:

Different build variants of Chrome for Android have different version codes

via

The above version codes are associated with the ARM64 builds of Chrome for Android and 10+. They are not the lowest version codes available for these versions of Chrome for Android.

Ensure appropriate testing is undertaken if choosing to use a version code policy, and be aware it is a highly disruptive policy that will prevent device use until the app is updated.

🛟 For help or guidance, feel free to reach out.

edit_note Edit this page.

Docs

General
Provisioning
Work profile
Fully managed
App management
FAQ