Google announced on Thursday that it has released patches to fix a significant security flaw in its Chrome browser, which has been actively exploited.
The vulnerability, identified as CVE-2024-5274, is a type confusion bug found in the V8 JavaScript and WebAssembly engine. This issue was reported by Clรฉment Lecigne from Google’s Threat Analysis Group and Brendon Tiszka from Chrome Security on May 20, 2024.
You might be interested in: Cybersecurity Monitoring Service: Your Digital Guardian
Type confusion vulnerabilities occur when a program accesses a resource using an incompatible type. This can lead to serious consequences, such as out-of-bounds memory access, crashes, and arbitrary code execution by malicious actors.
This marks the fourth zero-day vulnerability that Google has patched in May, following CVE-2024-4671, CVE-2024-4761, and CVE-2024-4947.
Google has not provided detailed technical information about the flaw but confirmed that an exploit for CVE-2024-5274 is active in the wild. It remains unclear if this vulnerability is a bypass for the previously patched CVE-2024-4947, which is also a type confusion bug in V8.
With this latest fix, Google has addressed a total of eight zero-day vulnerabilities in Chrome since the beginning of the year:
- CVE-2024-0519: Out-of-bounds memory access in V8
- CVE-2024-2886: Use-after-free in WebCodecs (demonstrated at Pwn2Own 2024)
- CVE-2024-2887: Type confusion in WebAssembly (demonstrated at Pwn2Own 2024)
- CVE-2024-3159: Out-of-bounds memory access in V8 (demonstrated at Pwn2Own 2024)
- CVE-2024-4671: Use-after-free in Visuals
- CVE-2024-4761: Out-of-bounds write in V8
- CVE-2024-4947: Type confusion in V8
Users are urged to upgrade to Chrome version 125.0.6422.112/.113 for Windows and macOS, and version 125.0.6422.112 for Linux to protect against potential threats.
Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the updates as soon as they are available.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.