Google has launched a security replace for the Chrome browser to repair the fifth zero-day vulnerability exploited within the wild because the begin of the 12 months.
The high-severity situation tracked as CVE-2024-4671 is a “consumer after free” vulnerability within the Visuals element that handles the rendering and show of content material on the browser.
CVE-2024-4671 was found and reported to Google by an nameless researcher, whereas the corporate disclosed that it’s seemingly actively exploited.
“Google is conscious that an exploit for CVE-2024-4671 exists within the wild,” reads the advisory with out offering further data.
Use after-free flaws are security flaws that happen when a program continues to make use of a pointer after the reminiscence it factors to has been freed, following the completion of its respectable operations on that area.
As a result of the freed reminiscence might now comprise completely different knowledge or be utilized by different software program or elements, accessing it might lead to knowledge leakage, code execution, or crash.
Google addressed the issue with the discharge of 124.0.6367.201/.202 for Mac/Home windows and 124.0.6367.201 for Linux, with the updates rolling out over the approaching days/weeks.
For customers of the ‘Prolonged Secure’ channel, fixes might be made obtainable in model 124.0.6367.201 for Mac and Home windows, additionally to roll out later.
Chrome updates robotically when a security replace is offered, however customers can affirm they’re operating the newest model by going to Settings > About Chrome, letting the replace end, after which clicking on the ‘Relaunch’ button to use it.
This newest flaw addressed in Google Chrome is the fifth this 12 months, with three others found in the course of the March 2024 Pwn2Own hacking contest in Vancouver.
The whole checklist of Chrome zero-day vulnerabilities mounted because the begin of 2024 additionally contains the next:
- CVE-2024-0519: A high-severity out-of-bounds reminiscence entry weak spot inside the Chrome V8 JavaScript engine, permitting distant attackers to use heap corruption by way of a specifically crafted HTML web page, resulting in unauthorized entry to delicate data.
- CVE-2024-2887: A high-severity kind confusion flaw within the WebAssembly (Wasm) commonplace. It might result in distant code execution (RCE) exploits leveraging a crafted HTML web page.
- CVE-2024-2886: A use-after-free vulnerability within the WebCodecs API utilized by internet functions to encode and decode audio and video. Distant attackers exploited it to carry out arbitrary reads and writes by way of crafted HTML pages, resulting in distant code execution.
- CVE-2024-3159: A high-severity vulnerability attributable to an out-of-bounds learn within the Chrome V8 JavaScript engine. Distant attackers exploited this flaw utilizing specifically crafted HTML pages to entry knowledge past the allotted reminiscence buffer, leading to heap corruption that may very well be leveraged to extract delicate data.
