IRONSMITHINTEL
HIGHCVSS8.8
|
Actively Exploited
|CISA KEV|CVE-2024-4671|Auth: none — visiting a malicious page is sufficient|Reboot: not required|Est. 5 minutes (browser restart only)|Manual only

Microsoft Edge < 124.0.2478.97 — RCE

A use-after-free in the Chromium Visuals component (shared with Edge) allows remote code execution. Update Edge to 124.0.2478.105 or later — this is a Chromium zero-day that affected Edge, Chrome, and all Chromium-based browsers simultaneously.

Published May 10, 2024 · Updated May 29, 2026
XLinkedIn
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker hosting a malicious website can trigger code execution in the Edge renderer process. Combined with a sandbox escape, this enables system-level compromise. Even within the sandbox, attackers can steal session cookies and browser-stored passwords.

How the attack worksNo clicks needed

The Chromium Visuals component handles rendering of web content. A use-after-free vulnerability in this component can be triggered by a specially crafted web page, allowing heap memory corruption that may lead to code execution within the browser process.

📧

Phishing link

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

All endpoints running Microsoft Edge
Workstations browsing untrusted sites
RDS/Citrix sessions with Edge
Running Microsoft Edge prior to 124.0.2478.105

Affected OS versions

Windows 10Windows 11Windows Server 2019Windows Server 2022
Fixed in124.0.2478.97
Real-world incidentsWhat we've seen

Google disclosed CVE-2024-4671 as an actively exploited zero-day in Chrome on May 9, 2024. Microsoft shipped an Edge update incorporating the Chromium fix the same day. This was the sixth Chrome zero-day patched in 2024. Both CISA and Microsoft urged immediate updates, as the vulnerability affects all Chromium-based browsers including Edge and Brave.

How to patch

Manual remediation steps

5 minutes (browser restart only)

Apply the Microsoft Security Update

This vulnerability is fixed by Microsoft's official security update.

Affected Products

    1
    Microsoft Edge (Chromium-based)

Installation Methods

Windows Update (recommended)

1
Open Settings → Windows Update → Check for updates
2
The security update will be offered if applicable to your system
3
Restart when prompted

Verification

Confirm the update is installed:

Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10

References

    1
    Microsoft Security Response Center: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-4671
    1
    NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2024-4671
    1
    CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-4671
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2024-4671MSRC Advisory

Related vulnerabilities

CRITICAL9.8

Mozilla Firefox < 131.0.2 — RCE

Mozilla Firefox

CVE-2024-9680

CRITICAL9.8

Mozilla Firefox < 124.0.1 — RCE

Mozilla Firefox

CVE-2024-29943

CRITICAL8.8

Google Chrome < 116.0.5845.188 — RCE

Google Chrome

CVE-2023-4863