Google Patches Chrome Zero-Days Exposed at Pwn2Own 2024

March 27, 2024

Google has addressed seven security vulnerabilities in its Chrome web browser, which includes two zero-day exploits revealed during the Pwn2Own Vancouver 2024 hacking competition.

The first flaw, identified as CVE-2024-2887, is a high-severity type confusion vulnerability in the WebAssembly (Wasm) open standard. This vulnerability was demonstrated by Manfred Paul on the first day of Pwn2Own as part of a double-tap remote code execution (RCE) exploit. This exploit was performed using a specially designed HTML page and targeted both Chrome and Edge.

The second zero-day, tagged as CVE-2024-2886, was exploited by Seunghyun Lee from KAIST Hacking Lab during the second day of the CanSecWest Pwn2Own contest. This flaw is a use-after-free (UAF) weakness in the WebCodecs API, which web applications use to encode and decode audio and video content. This vulnerability allows remote attackers to execute arbitrary reads/writes via specially crafted HTML pages. Lee also used CVE-2024-2886 to achieve remote code execution using a single exploit targeting both Google Chrome and Microsoft Edge.

The two zero-day vulnerabilities were fixed in the Google Chrome stable channel, version 123.0.6312.86/.87 for Windows and Mac and 123.0.6312.86 for Linux users. These fixes will be distributed globally over the next few days. On the same day these bugs were demonstrated, Mozilla also patched two Firefox zero-days exploited by Manfred Paul at Pwn2Own Vancouver 2024.

Although Mozilla took only one day and Google took five days to patch these vulnerabilities, vendors usually take a longer time to release patches for security flaws demonstrated at Pwn2Own since they have 90 days to push fixes until Trend Micro's Zero Day Initiative publicly discloses bug details.

In January, Google also fixed an actively exploited zero-day in Chrome (CVE-2024-0519) that allowed attackers to access sensitive information or crash unpatched browsers due to an out-of-bounds memory access weakness in the Chrome V8 JavaScript engine.

The Pwn2Own 2024 Vancouver competition ended on March 22, with security researchers earning $1,132,500 for demonstrating 29 zero-day exploits and exploit chains over two days. Manfred Paul emerged as this year's winner with $202,500 in cash prizes after successfully exploiting the Apple Safari, Google Chrome, and Microsoft Edge web browsers.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.