OOB Access in CefVideoConsumerOSR::OnFrameCaptured

Vulnerability

The vulnerability resides in CefVideoConsumerOSR::OnFrameCaptured within the Chromium Embedded Framework (CEF). The function does not properly validate the pixel_format parameter when processing frame data from the GPU process. It calls media::VideoFrame::AllocationSize with the provided pixel_format and coded_size to calculate the expected buffer size, but then passes the buffer to view_->OnPaint without preserving the format. The default OsrRenderer::OnPaint in cefclient assumes the format is ARGB (GL_BGRA). A compromised GPU process can send a malicious frame with a different pixel_format (e.g., UNKNOWN), causing AllocationSize to return zero. This allows a buffer smaller than the ARGB allocation to pass the size check, leading to an out-of-bounds read. All versions prior to commit 1f55d2e are affected [1][2].

Exploitation

An attacker must first compromise the GPU process (e.g., via another vulnerability) to send crafted frames. The attacker sets pixel_format to a value that makes AllocationSize return zero, bypassing the size check. The undersized buffer is then passed to OnPaint, which reads beyond its bounds assuming ARGB format. No user interaction is required beyond the initial GPU process compromise [1].

Impact

Successful exploitation results in an out-of-bounds read that escapes the GPU process sandbox, potentially disclosing sensitive memory contents from the browser or other processes. The impact is information disclosure, which could lead to further compromise [1].

Mitigation

The vulnerability is fixed in commit 1f55d2e (merged on 2024-01-13). Users should update CEF to a version that includes this commit. No workarounds are available. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [2].