Google Addresses First Actively Exploited Chrome Zero-Day Vulnerability of 2024

January 16, 2024

Google has patched the first Chrome zero-day vulnerability of 2024 that has been actively exploited. The company acknowledged in a security advisory that an exploit for CVE-2024-0519 is present in the wild. The correction for this zero-day has been released to users on the Stable Desktop channel, with updated versions being dispatched globally to Windows (120.0.6099.224/225), Mac (120.0.6099.234), and Linux (120.0.6099.224) users within a week of the issue being reported to Google.

Despite Google's assertion that the security patch could take several days or weeks to reach all affected users, the update was readily available when checked for updates. Users who do not wish to manually update their browser can depend on Chrome to automatically look for and install new updates after the next startup.

The high-risk zero-day vulnerability (CVE-2024-0519) is attributed to a critical out-of-bounds memory access issue in the Chrome V8 JavaScript engine. Attackers can exploit this vulnerability to access data beyond the memory buffer, potentially accessing sensitive information or causing a system crash. As MITRE explains, "The expected sentinel might not be located in the out-of-bounds memory, causing excessive data to be read, leading to a segmentation fault or a buffer overflow."

Besides unauthorized memory access, CVE-2024-0519 could also be exploited to circumvent protection mechanisms such as ASLR, making it easier to execute code via another vulnerability. While Google is aware of exploits for the CVE-2024-0519 zero-day being used in attacks, the company has not yet disclosed further details about these incidents. Google stated, "Access to bug details and links may be kept restricted until a majority of users are updated with a fix."

In addition to the CVE-2024-0519 patch, Google also fixed V8 out-of-bounds write (CVE-2024-0517) and type confusion (CVE-2024-0518) flaws, which could allow for arbitrary code execution on compromised devices. In 2023, Google addressed eight Chrome zero-day vulnerabilities exploited in attacks, including CVE-2023-7024, CVE-2023-6345, CVE-2023-5217, CVE-2023-4863, CVE-2023-3079, CVE-2023-4762, CVE-2023-2136, and CVE-2023-2033. Some of these, such as CVE-2023-4762, were identified as zero-days used to install spyware on vulnerable devices of high-risk users, like journalists and opposition politicians, several weeks after patches were released.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.