Google has launched a safety replace for the Chrome browser to repair the fifth zero-day vulnerability exploited within the wild for the reason that begin of the 12 months.
The high-severity situation tracked as CVE-2024-4671 is a “user after free” vulnerability within the Visuals part that handles the rendering and show of content material on the browser.
CVE-2024-4671 was found and reported to Google by an nameless researcher, whereas the corporate disclosed that it’s possible actively exploited.
“Google is aware that an exploit for CVE-2024-4671 exists in the wild,” reads the advisory with out offering extra data.
Use after-free flaws are safety flaws that happen when a program continues to make use of a pointer after the reminiscence it factors to has been freed, following the completion of its authentic operations on that area.
As a result of the freed reminiscence may now include totally different knowledge or be utilized by different software program or parts, accessing it may end in knowledge leakage, code execution, or crash.
Google addressed the issue with the discharge of 124.0.6367.201/.202 for Mac/Home windows and 124.0.6367.201 for Linux, with the updates rolling out over the approaching days/weeks.
For customers of the ‘Extended Stable’ channel, fixes will probably be made obtainable in model 124.0.6367.201 for Mac and Home windows, additionally to roll out later.
Chrome updates mechanically when a safety replace is on the market, however customers can affirm they’re working the newest model by going to Settings > About Chrome, letting the replace end, after which clicking on the ‘Relaunch’ button to use it.
This newest flaw addressed in Google Chrome is the fifth this 12 months, with three others found throughout the March 2024 Pwn2Own hacking contest in Vancouver.
The entire record of Chrome zero-day vulnerabilities fastened for the reason that begin of 2024 additionally consists of the next:
- CVE-2024-0519: A high-severity out-of-bounds reminiscence entry weak point inside the Chrome V8 JavaScript engine, permitting distant attackers to take advantage of heap corruption through a specifically crafted HTML web page, resulting in unauthorized entry to delicate data.
- CVE-2024-2887: A high-severity sort confusion flaw within the WebAssembly (Wasm) commonplace. It may result in distant code execution (RCE) exploits leveraging a crafted HTML web page.
- CVE-2024-2886: A use-after-free vulnerability within the WebCodecs API utilized by internet functions to encode and decode audio and video. Distant attackers exploited it to carry out arbitrary reads and writes through crafted HTML pages, resulting in distant code execution.
- CVE-2024-3159: A high-severity vulnerability attributable to an out-of-bounds learn within the Chrome V8 JavaScript engine. Distant attackers exploited this flaw utilizing specifically crafted HTML pages to entry knowledge past the allotted reminiscence buffer, leading to heap corruption that may very well be leveraged to extract delicate data.
