Google has released emergency security updates for the Chrome browser to address a high-severity zero-day vulnerability tagged as exploited in attacks.
This fix comes only three days after Google addressed another zero-day vulnerability in Chrome, CVE-2024-4671, caused by a use-after-free weakness in the Visuals component.
The latest bug is tracked as CVE-2024-4761. It is an out-of-bounds write problem impacting Chrome’s V8 JavaScript engine, which is responsible for executing JS code in the application.
Out-of-bounds write issues occur when a program is allowed to write data outside the specified array or buffer, potentially leading to unauthorized data access, arbitrary code execution, or program crashes.
“Google is aware that an exploit for CVE-2024-4761 exists in the wild,” reads the advisory.
The company fixed the security flaw with the release of 124.0.6367.207/.208 for Mac/Windows and 124.0.6367.207 for Linux. The updates will roll out to all users over the coming days/weeks.
For users of the ‘Extended Stable’ channel, fixes will be made available in version 124.0.6367.207 for Mac and Windows.
Chrome updates automatically when a security update is available, but users can confirm they’re running the latest version by going to Settings > About Chrome, letting the update finish, and then clicking on the ‘Relaunch’ button to apply it.
Sixth zero-day exploited in attacks
This latest Google Chrome vulnerability is the sixth zero-day bug discovered and fixed in the popular web browser since the start of the year.
The company notes that an anonymous researcher reported the flaw on May 9, 2024, but no further details have been disclosed at this time.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” Google said.
Chrome zero-day flaws fixed in 2024 so far include:
- CVE-2024-0519: A high-severity out-of-bounds memory access weakness within the Chrome V8 JavaScript engine, allowing remote attackers to exploit heap corruption via a specially crafted HTML page, leading to unauthorized access to sensitive information.
- CVE-2024-2887: A high-severity type confusion flaw in the WebAssembly (Wasm) standard. It could lead to remote code execution (RCE) exploits leveraging a crafted HTML page.
- CVE-2024-2886: A use-after-free vulnerability in the WebCodecs API used by web applications to encode and decode audio and video. Remote attackers exploited it to perform arbitrary reads and writes via crafted HTML pages, leading to remote code execution.
- CVE-2024-3159: A high-severity vulnerability caused by an out-of-bounds read in the Chrome V8 JavaScript engine. Remote attackers exploited this flaw using specially crafted HTML pages to access data beyond the allocated memory buffer, resulting in heap corruption that could be leveraged to extract sensitive information.
- CVE-2024-4671: A high-severity use-after-free flaw in the Visuals component that handles the rendering and display of content on the browser.
