Google Fixes Severe Chrome Vulnerability, CVE-2024-4058

April 24, 2024

Google has announced an update to Chrome 124 that addresses four vulnerabilities, among which is a critical flaw, tagged as CVE-2024-4058. This bug, a type confusion issue in the ANGLE graphics layer engine, has been assigned a 'critical' severity rating, indicating it could potentially be exploited remotely for arbitrary code execution or sandbox escapes with minimal user interaction. This level of severity is rarely assigned to Chrome vulnerabilities.

The discovery of CVE-2024-4058 was credited to two members of Qrious Secure, who were awarded a $16,000 bounty for their findings. Qrious Secure is a group of experienced hackers who specialize in identifying vulnerabilities and exploiting them 'for fun and profit'. The group has previously reported two other Chrome vulnerabilities to Google: CVE-2024-0517, which allows remote code execution, and CVE-2024-0223, which can be exploited directly from JavaScript, potentially granting GPU privilege permissions. Both of these were patched earlier in the year.

Google has not reported any instances of CVE-2024-4058 being exploited in the wild. It is worth noting that type confusion bugs in Chrome are often exploited by threat actors, but these usually affect the V8 JavaScript engine.

The latest Chrome update also addresses two high-severity vulnerabilities, CVE-2024-4059, an out-of-bounds read in the V8 API, and CVE-2024-4060, a use-after-free in the Dawn component. The bug bounties for these vulnerabilities are yet to be determined.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.