Google on Monday shipped emergency fixes to address a new zero-day flaw in the Chrome web browser that has come under active exploitation in the wild.
The high-severity vulnerability, tracked as CVE-2024-4761, is an out-of-bounds write bug impacting the V8 JavaScript and WebAssembly engine. It was reported anonymously on May 9, 2024.
Out-of-bounds write bugs could be typically exploited by malicious actors to corrupt data, or induce a crash or execute arbitrary code on compromised hosts.
"Google is aware that an exploit for CVE-2024-4761 exists in the wild," the tech giant said.
![Cybersecurity](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPJqG-_vBdld4mKDQV0jycRh5ED5SLMe5CL08ldq3UMFq3DV9n5S2fO3ebJV0_EvNXJg56IBsf7U3bc_NqbcH2exzd3gz33MP0IOdCULyAKCmNYR6bkxkGGwfC7r1r4Czo4H3hCQjMqyKvKnyD_pBwKhtRSmGAsxN1Yhf3_hkGWqJSCpmANMbmvXryhMUa/s728-e300/intel-d.png)
Additional details about the nature of the attacks have been withheld to prevent more threat actors from weaponizing the flaw.
The disclosure comes merely days after the company patched CVE-2024-4671, a use-after-free vulnerability in the Visuals component that has also been exploited in real-world attacks.
With the latest fix, Google has addressed a total of six zero-days since the start of the year, three of which were demonstrated at the Pwn2Own hacking contest in Vancouver in March -
- CVE-2024-0519 - Out-of-bounds memory access in V8 (actively exploited)
- CVE-2024-2886 - Use-after-free in WebCodecs
- CVE-2024-2887 - Type confusion in WebAssembly
- CVE-2024-3159 - Out-of-bounds memory access in V8
- CVE-2024-4671 - Use-after-free in Visuals (actively exploited)
Users are recommended to upgrade to Chrome version 124.0.6367.207/.208 for Windows and macOS, and version 124.0.6367.207 for Linux to mitigate potential threats.
Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.