Google finds the fourth 0-day: update immediately

Google has released Thursday fixes to address a high-severity vulnerability in its Chrome browser, which it said was being actively exploited.

Assigned with the CVE identifier CVE-2024-5274, the vulnerability affects a type confusion bug in the JavaScript and WebAssembly V8 engine. It was reported by Clément Lecigne of Google’s Threat Analysis Group and Brendon Tiszka of Chrome Security on May 20, 2024.

What does the vulnerability discovered by Google consist of?

The vulnerabilities of confusion types occur when a program attempts to access a resource with an incompatible type and these can have serious consequences as they allow cybercriminals to access memory outside the permitted limitscause a system crash and, among other things, execute malicious programming code.

The development represents the fourth zero-day that Google has patched since the beginning of the month CVE-2024-4671, CVE-2024-4761 And CVE-2024-4947.

The tech giant did not disclose further technical details about the vulnerability, but acknowledged that it is “aware that an exploit for CVE-2024-5274 exists in the wild.” It is unclear whether the flaw is a patch bypass for CVE-2024-4947, which is also a type confusion bug in V8.

With the latest fix, Google has fixed a total of eight zero-days in Chrome since the beginning of the year:

• CVE-2024-0519: Memory access out of bounds in V8
  • Out-of-bounds memory access in V8: This vulnerability occurs when a program attempts to read or write data outside the bounds of allocated memory, potentially resulting in a crash or execution of malicious code.
• CVE-2024-2886: Use-after-free in WebCodecs (demonstrated at Pwn2Own 2024)
  • Use-after-free: This type of vulnerability occurs when a program continues to use a memory pointer after it has been freed. This may lead to arbitrary code execution or program crashes.

• CVE-2024-2887: Type Confusion in WebAssembly (demonstrated at Pwn2Own 2024)
  • Type confusion: See above for description.
• CVE-2024-3159: Out-of-bounds memory access in V8 (demonstrated at Pwn2Own 2024)
  • Out-of-bounds memory access: See above for description.
• CVE-2024-4671: Use-after-free in Visuals
  • Use-after-free: See above for description.

• CVE-2024-4761: Writing out of bounds in V8
  • Out-of-bounds write: This vulnerability occurs when a program attempts to write data outside the bounds of allocated memory, which can lead to unexpected data modifications or program crashes.
• CVE-2024-4947: Type confusion in V8
  • Type confusion: See above for description.

Users are recommended to update to Chrome version 125.0.6422.112/.113 for Windows and macOS, and to version 125.0.6422.112 for Linux to mitigate potential threats.

This also applies to Chromium-based browsers

As you know, Google Chrome it is not the only browser to be based on Chromium source code, in fact there are quite a few others, in fact It is also recommended for users of Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldito apply fixes as they become available.

Are ChromeOS and ChromeOS Flex impacted as a result?

Without mincing words: yes!

Even users who regularly use ChromeOS and ChromeOS Flex operating systems they must pay attention to these vulnerabilities.

The first reason is quite obvious: however, both use the Google Chrome browser.

The second reason is a little less so: since ChromeOS is built on a Chrome foundation, the same vulnerabilities may be present and exploitable on these systems.

Google regularly releases security updates for ChromeOS, and users should ensure their devices are updated to the latest version available to protect themselves from these threats; It is recommended to check system updates regularly and apply them as soon as they are available to keep your devices safe and secure.