CISA Includes Chrome Zero-Days in its Known Exploited Vulnerabilities Catalog

May 17, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has incorporated two new vulnerabilities into its Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities are associated with Google's Chromium engine and were reported by researchers from Kaspersky and an anonymous individual.

The first vulnerability, CVE-2024-4761, is an unspecified out-of-bounds memory write vulnerability in the Google Chromium V8 Engine, which can be exploited through a crafted HTML page. This vulnerability could potentially impact several web browsers that use Chromium, including Google Chrome, Microsoft Edge, and Opera. Kaspersky researchers Vasily Berdnikov and Boris Larin reported this vulnerability on May 13, 2024. Google acknowledged the existence of an exploit for CVE-2024-4947 in the wild, as stated in their published advisory.

The second vulnerability, CVE-2024-4671, is a use-after-free vulnerability in Google Chromium Visuals that allows a remote attacker to exploit heap corruption via a crafted HTML page. This vulnerability could also affect multiple web browsers that utilize Chromium. An anonymous researcher reported this flaw on May 7, 2024. Google's advisory confirms that an exploit for CVE-2024-4671 exists in the wild.

As is customary, Google has not disclosed details about the attacks exploiting these vulnerabilities. According to the Binding Operational Directive (BOD) 22-01, federal agencies must address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the cataloged flaws. Experts also advise private organizations to review the Catalog and address the vulnerabilities in their infrastructure. CISA has mandated federal agencies to rectify these vulnerabilities.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.