Google has launched a safety replace for the Chrome browser to repair the fifth zero-day vulnerability exploited within the wild because the begin of the 12 months.
The high-severity concern tracked as CVE-2024-4671 is a “consumer after free” vulnerability within the Visuals element that handles the rendering and show of content material on the browser.
CVE-2024-4671 was found and reported to Google by an nameless researcher, whereas the corporate disclosed that it’s probably actively exploited.
“Google is conscious that an exploit for CVE-2024-4671 exists within the wild,” reads the advisory with out offering extra data.
Use after-free flaws are safety flaws that happen when a program continues to make use of a pointer after the reminiscence it factors to has been freed, following the completion of its reliable operations on that area.
As a result of the freed reminiscence may now include completely different knowledge or be utilized by different software program or elements, accessing it may lead to knowledge leakage, code execution, or crash.
Google addressed the issue with the discharge of 124.0.6367.201/.202 for Mac/Home windows and 124.0.6367.201 for Linux, with the updates rolling out over the approaching days/weeks.
For customers of the ‘Prolonged Steady’ channel, fixes can be made out there in model 124.0.6367.201 for Mac and Home windows, additionally to roll out later.
Chrome updates robotically when a safety replace is out there, however customers can verify they’re working the most recent model by going to Settings > About Chrome, letting the replace end, after which clicking on the ‘Relaunch’ button to use it.
This newest flaw addressed in Google Chrome is the fifth this 12 months, with three others found throughout the March 2024 Pwn2Own hacking contest in Vancouver.
The entire listing of Chrome zero-day vulnerabilities mounted because the begin of 2024 additionally contains the next:
- CVE-2024-0519: A high-severity out-of-bounds reminiscence entry weak spot inside the Chrome V8 JavaScript engine, permitting distant attackers to use heap corruption by way of a specifically crafted HTML web page, resulting in unauthorized entry to delicate data.
- CVE-2024-2887: A high-severity kind confusion flaw within the WebAssembly (Wasm) customary. It may result in distant code execution (RCE) exploits leveraging a crafted HTML web page.
- CVE-2024-2886: A use-after-free vulnerability within the WebCodecs API utilized by internet functions to encode and decode audio and video. Distant attackers exploited it to carry out arbitrary reads and writes by way of crafted HTML pages, resulting in distant code execution.
- CVE-2024-3159: A high-severity vulnerability attributable to an out-of-bounds learn within the Chrome V8 JavaScript engine. Distant attackers exploited this flaw utilizing specifically crafted HTML pages to entry knowledge past the allotted reminiscence buffer, leading to heap corruption that could possibly be leveraged to extract delicate data.