Google released security updates on Thursday to address a zero-day vulnerability in Chrome actively exploited in the wild.
The high-severity vulnerability identified as CVE-2024-4671 has been described as a use-after-free issue in the Visuals component. An anonymous researcher reported the problem on May 7, 2024.
Use-after-free bugs, occurring when a program references a memory location after it has been freed, can have various consequences, from a crash to arbitrary code execution.
«Google is aware of an exploit for CVE-2024-4671 in the wild,» the company said in a brief advisory without disclosing additional details on how the flaw is being used in real-world attacks or the identity of the actors behind them.
With this latest development, Google has addressed two zero-days actively exploited in Chrome since the beginning of the year.
In early January, the tech giant patched a out-of-bounds memory access issue in the V8 JavaScript and WebAssembly engine (CVE-2024-0519, CVSS score: 8.8) that could lead to a crash.
Google also addressed three other zero-days revealed during the Pwn2Own hacking contest in Vancouver in March:
– CVE-2024-2886 – Use-after-free in WebCodecs
– CVE-2024-2887 – Type confusion in WebAssembly
– CVE-2024-3159 – Out-of-bounds memory access in V8
Users are advised to update to Chrome version 124.0.6367.201/.202 for Windows and macOS, and version 124.0.6367.201 for Linux to mitigate potential threats.
Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as soon as they are available.
Vía The Hacker News
