The Hacker NewsTHN:FC362507805FB2C8E6447B5D0BFD68E8Update Chrome Browser Now: 4th Zero-Day Exploit Discovered in May 2024
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
7.7 High
AI Score
Confidence
Low
0.968 High
EPSS
Percentile
99.7%
Google on Thursday rolled out fixes to address a high-severity security flaw in its Chrome browser that it said has been exploited in the wild.
Assigned the CVE identifier CVE-2024-5274, the vulnerability relates to a type confusion bug in the V8 JavaScript and WebAssembly engine. It was reported by ClΓ©ment Lecigne of Googleβs Threat Analysis Group and Brendon Tiszka of Chrome Security on May 20, 2024.
Type confusion vulnerabilities occur when a program attempts to access a resource with an incompatible type. It can have serious consequences as it allows threat actors to perform out-of-bounds memory access, cause a crash, and execute arbitrary code.
The development marks the fourth zero-day that Google has patched since the start of the month after CVE-2024-4671, CVE-2024-4761, and CVE-2024-4947.
The tech giant did not disclose additional technical details about the flaw, but acknowledged that it βis aware that an exploit for CVE-2024-5274 exists in the wild.β Itβs not clear if the shortcoming is a patch bypass for CVE-2024-4947, which is also a type confusion bug in V8.
With the latest fix, Google has resolved a total of eight zero-days in Chrome over the past five months -
- CVE-2024-0519 - Out-of-bounds memory access in V8
- CVE-2024-2886 - Use-after-free in WebCodecs (demonstrated at Pwn2Own 2024)
- CVE-2024-2887 - Type confusion in WebAssembly (demonstrated at Pwn2Own 2024)
- CVE-2024-3159 - Out-of-bounds memory access in V8 (demonstrated at Pwn2Own 2024)
- CVE-2024-4671 - Use-after-free in Visuals
- CVE-2024-4761 - Out-of-bounds write in V8
- CVE-2024-4947 - Type confusion in V8
Users are recommended to upgrade to Chrome version 125.0.6422.112/.113 for Windows and macOS, and version 125.0.6422.112 for Linux to mitigate potential threats.
Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.
Found this article interesting? Follow us on Twitter ο and LinkedIn to read more exclusive content we post.
Related
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
7.7 High
AI Score
Confidence
Low
0.968 High
EPSS
Percentile
99.7%