Google fixes eighth actively exploited Chrome zero-day this year

Google has released a new emergency security update to address the eighth zero-day vulnerability in Chrome browser confirmed to be actively exploited in the wild.

The security issue was discovered internally by Google’s Clément Lecigne and is tracked as CVE-2024-5274. It is a high-severity ‘type confusion’ in V8, Chrome’s JavaScript engine responsible for executing JS code.

 “Google is aware that an exploit for CVE-2024-5274 exists in the wild,” the company said in the security advisory.

A “type confusion” vulnerability occurs when a program allocates a piece of memory to hold a certain type of data but mistakenly interprets the data as a different type. This can lead to crashes, data corruption, as well as arbitrary code execution.

Google has not shared technical details about the flaw to protect users from potential exploitation attempts from other threat actors and allow them to install a browser version that addresses the problem.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” said the tech giant.

Fix available on Chrome Stable

Google’s fix is being rolled out to Chrome’s Stable channel in version 125.0.6422.112/.113 for Windows and Mac, while Linux users will get the update on version 125.0.6422.112 in the coming weeks.

Chrome installs important security updates automatically and they take effect after relaunching the browser. Users can confirm they are using the latest version in the About section of the Settings menu.

If an update is available, users should wait for the update process to finish and then click on the ‘Relaunch’ button to apply it.

Chrome update

Third actively exploited zero-day this month

CVE-2024-5274 is the eighth actively exploited vulnerability that Google fixed in Chrome since the beginning of the year, and the third this month.

At the same time, Google’s previous decision to reduce the delivery of Chrome security updates from twice to once a week addresses the patch gap problem that gives threat actors extra time to exploit zero-day flaws.

Actively exploited zero-day flaws in Chrome that have been patched earlier this year are:

  1. CVE-2024-0519: A high-severity out-of-bounds memory access weakness within the Chrome V8 JavaScript engine, allowing remote attackers to exploit heap corruption via a specially crafted HTML page, leading to unauthorized access to sensitive information.
  2. CVE-2024-2887: A high-severity type confusion flaw in the WebAssembly (Wasm) standard. It could lead to remote code execution (RCE) exploits leveraging a crafted HTML page.
  3. CVE-2024-2886: A use-after-free vulnerability in the WebCodecs API used by web applications to encode and decode audio and video. Remote attackers exploited it to perform arbitrary reads and writes via crafted HTML pages, leading to remote code execution.
  4. CVE-2024-3159: A high-severity vulnerability caused by an out-of-bounds read in the Chrome V8 JavaScript engine. Remote attackers exploited this flaw using specially crafted HTML pages to access data beyond the allocated memory buffer, resulting in heap corruption that could be leveraged to extract sensitive information.
  5. CVE-2024-4671: A high-severity use-after-free flaw in the Visuals component that handles the rendering and displaying content in the browser.
  6. CVE-2024-4761: An out-of-bounds write problem in Chrome’s V8 JavaScript engine, which is responsible for executing JS code in the application.
  7. CVE-2024-4947: High-severity type confusion weakness in the Chrome V8 JavaScript engine, potentially enabling arbitrary code execution on the target device.