Google Patches Eighth Actively Exploited Chrome Zero-Day of the Year
May 24, 2024
Google has released an urgent security patch to address the eighth zero-day vulnerability in its Chrome browser that is currently being actively exploited. The vulnerability was found by Google's own Clément Lecigne and is labeled as CVE-2024-5274. This high-severity issue is a 'type confusion' in V8, Chrome's JavaScript engine that runs JS code.
Google has confirmed that an exploit for CVE-2024-5274 is present in the wild, as stated in their security advisory. A 'type confusion' vulnerability happens when a program designates a chunk of memory for a specific type of data but mistakenly reads the data as a different type. This can result in crashes, data corruption, and even arbitrary code execution.
To protect users from potential exploitation attempts, Google has not disclosed the technical details of the flaw. The company is waiting for a majority of users to update their browsers before releasing more information. Google also mentioned that it will continue to restrict access if the bug is found in a third-party library relied on by other projects that have not yet been fixed.
The fix by Google is being distributed to Chrome's Stable channel in version 125.0.6422.112/.113 for Windows and Mac users. Linux users will receive the update on version 125.0.6422.112 in the upcoming weeks. Chrome automatically installs critical security updates, which become effective after the browser is restarted. Users can verify they are using the latest version in the About section of the Settings menu. If an update is available, users should allow the update process to complete and then click on the 'Relaunch' button to implement it.
CVE-2024-5274 is the eighth zero-day vulnerability that has been actively exploited and fixed by Google in Chrome since the start of the year, and the third this month. Concurrently, Google's earlier decision to decrease the frequency of Chrome security updates from twice to once a week addresses the patch gap issue, which gives threat actors additional time to exploit zero-day vulnerabilities.
Latest News
- Justice AV Solutions (JAVS) Software Compromised in Supply Chain Attack
- GitLab Patches High-Severity Flaw Allowing Account Takeovers
- CISA Issues Alert over Active Exploitation of Apache Flink Vulnerability
- Sharp Panda Expands Cyber Espionage Reach to African and Caribbean Governments
- GHOSTENGINE Uses Vulnerable Drivers to Disable EDRs in Sophisticated Cryptojacking Attack
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.