Google announced on Thursday that it has released patches to fix a significant security flaw in its Chrome browser, which has been actively exploited.

The vulnerability, identified as CVE-2024-5274, is a type confusion bug found in the V8 JavaScript and WebAssembly engine. This issue was reported by Clément Lecigne from Google’s Threat Analysis Group and Brendon Tiszka from Chrome Security on May 20, 2024.

You might be interested in: Cybersecurity Monitoring Service: Your Digital Guardian

Type confusion vulnerabilities occur when a program accesses a resource using an incompatible type. This can lead to serious consequences, such as out-of-bounds memory access, crashes, and arbitrary code execution by malicious actors.

This marks the fourth zero-day vulnerability that Google has patched in May, following CVE-2024-4671, CVE-2024-4761, and CVE-2024-4947.

Google has not provided detailed technical information about the flaw but confirmed that an exploit for CVE-2024-5274 is active in the wild. It remains unclear if this vulnerability is a bypass for the previously patched CVE-2024-4947, which is also a type confusion bug in V8.

With this latest fix, Google has addressed a total of eight zero-day vulnerabilities in Chrome since the beginning of the year:

• CVE-2024-0519: Out-of-bounds memory access in V8
• CVE-2024-2886: Use-after-free in WebCodecs (demonstrated at Pwn2Own 2024)
• CVE-2024-2887: Type confusion in WebAssembly (demonstrated at Pwn2Own 2024)
• CVE-2024-3159: Out-of-bounds memory access in V8 (demonstrated at Pwn2Own 2024)
• CVE-2024-4671: Use-after-free in Visuals
• CVE-2024-4761: Out-of-bounds write in V8
• CVE-2024-4947: Type confusion in V8

Users are urged to upgrade to Chrome version 125.0.6422.112/.113 for Windows and macOS, and version 125.0.6422.112 for Linux to protect against potential threats.

Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the updates as soon as they are available.

REFERENCE