Google has launched a safety replace for the Chrome browser to repair the fifth zero-day vulnerability exploited within the wild because the begin of the yr.
The high-severity situation tracked as CVE-2024-4671 is a “person after free” vulnerability within the Visuals element that handles the rendering and show of content material on the browser.
CVE-2024-4671 was found and reported to Google by an nameless researcher, whereas the corporate disclosed that it’s probably actively exploited.
“Google is conscious that an exploit for CVE-2024-4671 exists within the wild,” reads the advisory with out offering extra info.
Use after-free flaws are safety flaws that happen when a program continues to make use of a pointer after the reminiscence it factors to has been freed, following the completion of its reliable operations on that area.
As a result of the freed reminiscence may now include completely different knowledge or be utilized by different software program or elements, accessing it may lead to knowledge leakage, code execution, or crash.
Google addressed the issue with the discharge of 124.0.6367.201/.202 for Mac/Home windows and 124.0.6367.201 for Linux, with the updates rolling out over the approaching days/weeks.
For customers of the ‘Prolonged Secure’ channel, fixes will likely be made obtainable in model 124.0.6367.201 for Mac and Home windows, additionally to roll out later.
Chrome updates robotically when a safety replace is offered, however customers can verify they’re working the most recent model by going to Settings > About Chrome, letting the replace end, after which clicking on the ‘Relaunch’ button to use it.
This newest flaw addressed in Google Chrome is the fifth this yr, with three others found throughout the March 2024 Pwn2Own hacking contest in Vancouver.
The entire record of Chrome zero-day vulnerabilities mounted because the begin of 2024 additionally consists of the next:
- CVE-2024-0519: A high-severity out-of-bounds reminiscence entry weak spot inside the Chrome V8 JavaScript engine, permitting distant attackers to take advantage of heap corruption through a specifically crafted HTML web page, resulting in unauthorized entry to delicate info.
- CVE-2024-2887: A high-severity kind confusion flaw within the WebAssembly (Wasm) commonplace. It may result in distant code execution (RCE) exploits leveraging a crafted HTML web page.
- CVE-2024-2886: A use-after-free vulnerability within the WebCodecs API utilized by net functions to encode and decode audio and video. Distant attackers exploited it to carry out arbitrary reads and writes through crafted HTML pages, resulting in distant code execution.
- CVE-2024-3159: A high-severity vulnerability brought on by an out-of-bounds learn within the Chrome V8 JavaScript engine. Distant attackers exploited this flaw utilizing specifically crafted HTML pages to entry knowledge past the allotted reminiscence buffer, leading to heap corruption that could possibly be leveraged to extract delicate info.