Google has patched the first Chrome zero-day vulnerability of 2024 that has been actively exploited. The company acknowledged in a security advisory that an exploit for CVE-2024-0519 is present in the wild. The correction for this zero-day has been released to users on the Stable Desktop channel, with updated versions being dispatched globally to Windows (120.0.6099.224/225), Mac (120.0.6099.234), and Linux (120.0.6099.224) users within a week of the issue being reported to Google.
Despite Google's assertion that the security patch could take several days or weeks to reach all affected users, the update was readily available when checked for updates. Users who do not wish to manually update their browser can depend on Chrome to automatically look for and install new updates after the next startup.
Besides unauthorized memory access, CVE-2024-0519 could also be exploited to circumvent protection mechanisms such as ASLR, making it easier to execute code via another vulnerability. While Google is aware of exploits for the CVE-2024-0519 zero-day being used in attacks, the company has not yet disclosed further details about these incidents. Google stated, "Access to bug details and links may be kept restricted until a majority of users are updated with a fix."
In addition to the CVE-2024-0519 patch, Google also fixed V8 out-of-bounds write (CVE-2024-0517) and type confusion (CVE-2024-0518) flaws, which could allow for arbitrary code execution on compromised devices. In 2023, Google addressed eight Chrome zero-day vulnerabilities exploited in attacks, including CVE-2023-7024, CVE-2023-6345, CVE-2023-5217, CVE-2023-4863, CVE-2023-3079, CVE-2023-4762, CVE-2023-2136, and CVE-2023-2033. Some of these, such as CVE-2023-4762, were identified as zero-days used to install spyware on vulnerable devices of high-risk users, like journalists and opposition politicians, several weeks after patches were released.