Google Addresses First Actively Exploited Chrome Zero-Day Vulnerability of 2024

January 16, 2024

Google has patched the first Chrome zero-day vulnerability of 2024 that has been actively exploited. The company acknowledged in a security advisory that an exploit for CVE-2024-0519 is present in the wild. The correction for this zero-day has been released to users on the Stable Desktop channel, with updated versions being dispatched globally to Windows (120.0.6099.224/225), Mac (120.0.6099.234), and Linux (120.0.6099.224) users within a week of the issue being reported to Google.

Despite Google's assertion that the security patch could take several days or weeks to reach all affected users, the update was readily available when checked for updates. Users who do not wish to manually update their browser can depend on Chrome to automatically look for and install new updates after the next startup.

The high-risk zero-day vulnerability (CVE-2024-0519) is attributed to a critical out-of-bounds memory access issue in the Chrome V8 JavaScript engine. Attackers can exploit this vulnerability to access data beyond the memory buffer, potentially accessing sensitive information or causing a system crash. As MITRE explains, "The expected sentinel might not be located in the out-of-bounds memory, causing excessive data to be read, leading to a segmentation fault or a buffer overflow."

Besides unauthorized memory access, CVE-2024-0519 could also be exploited to circumvent protection mechanisms such as ASLR, making it easier to execute code via another vulnerability. While Google is aware of exploits for the CVE-2024-0519 zero-day being used in attacks, the company has not yet disclosed further details about these incidents. Google stated, "Access to bug details and links may be kept restricted until a majority of users are updated with a fix."

In addition to the CVE-2024-0519 patch, Google also fixed V8 out-of-bounds write (CVE-2024-0517) and type confusion (CVE-2024-0518) flaws, which could allow for arbitrary code execution on compromised devices. In 2023, Google addressed eight Chrome zero-day vulnerabilities exploited in attacks, including CVE-2023-7024, CVE-2023-6345, CVE-2023-5217, CVE-2023-4863, CVE-2023-3079, CVE-2023-4762, CVE-2023-2136, and CVE-2023-2033. Some of these, such as CVE-2023-4762, were identified as zero-days used to install spyware on vulnerable devices of high-risk users, like journalists and opposition politicians, several weeks after patches were released.

Related News

• CISA Updates Known Exploited Vulnerabilities Catalog with Chrome and Perl Library Flaws
• Google Patches 8th Chrome Zero-Day Exploited in 2023
• CISA Catalogs Exploited Vulnerabilities in ownCloud and Google Chrome
• Google Chrome Rolls Out Urgent Security Update to Address 6th Zero-Day Exploit in 2023
• Apple Rolls Out iOS/iPadOS 16.7.1 to Address Zero-Day Vulnerability

Latest News

• Citrix Issues Urgent Warning for Two Actively Exploited Zero-Day Vulnerabilities
• Google Chrome's Zero-Day Vulnerability: CVE-2024-0519
• Androxgh0st Malware Botnet Targets AWS and Microsoft Credentials: FBI and CISA Alert
• Critical Vulnerability in VMware Aria Automation Addressed: Immediate Update Recommended
• Critical RCE Vulnerability Found in Older Atlassian Confluence Versions