Google Zero Day Vulnerability Created

Google Zero Day Vulnerability Created

Google on Thursday released security updates to address a zero-day flaw in Chrome that it said has been actively exploited in the wild. Tracked as CVE-2024-4671, the high-severity vulnerability has been described as a case of use-after-free in the Visuals component. It was reported by an anonymous researcher on May 7, 2024.

Use-after-free bugs, which arise when a program references a memory location after it has been deallocated, can lead to any number of consequences, ranging from a crash to arbitrary code execution. "Google is aware that an exploit for CVE-2024-4671 exists in the wild," the company said in a terse advisory without revealing additional specifics of how the flaw is being weaponized in real-world attacks or the identity of the threat actors behind them.

With the latest development, Google has addressed two actively exploited zero-days in Chrome since the start of the year. Earlier this January, the tech giant patched an out-of-bounds memory access issue in the V8 JavaScript and WebAssembly engine (CVE-2024-0519, CVSS score: 8.8) that could result in a crash. Google also addressed three other zero-days that were disclosed during the Pwn2Own hacking contest in Vancouver in March -
CVE-2024-2886 - Use-after-free in WebCodecs
CVE-2024-2887 - Type confusion in WebAssembly
CVE-2024-3159 - Out-of-bounds memory access in V8

Affected Systems

-

IoC’s

-

Recommended Solution(s)

Users are recommended to upgrade to Chrome version 124.0.6367.201/.202 for Windows and macOS, and version 124.0.6367.201 for Linux to mitigate potential threats.

Mitigations

Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

CVE / CWE

CVE-2024-4671

Related Website(s)

• https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_9.html

* Vulnerabilities with a CVSS 3.1 score between 7.0 and 8.9 are evaluated to be “high” whereas vulnerabilities with a CVSS 3.1 score between 9.0 and 10.0 are evaluated to be “critical”.