Google has fixed its first, actively exploited, Chrome zero-day vulnerability of the year.
The flaw is tracked as CVE-2024-0519, and allows attackers to gain access to sensitive data, or launch denial of service attacks. The flaw can also be chained with other vulnerabilities to achieve remote code execution (RCE), it was said.
“Google is aware of reports that an exploit for CVE-2024-0519 exists in the wild,” the browser giant said in an advisory published earlier this week.
No details – yet
The latest version of the browser is 120.0.6099.224/225 for Windows, 120.0.6099.234 for Mac, and 120.0.6099.224 for Linux. Even though Google usually says that the rollout of the patch to the Stable Desktop channel will be gradual, it was available when we tried to update the browser just now.
Still, the update was not automatic and required us to bring up the Settings menu and scan for updates.
CVE-2024-0519 is described as a high-severity out-of-bounds memory access weakness in the Chrome V8 JavaScript engine.
“The expected sentinel might not be located in the out-of-bounds memory, causing excessive data to be read, leading to a segmentation fault or a buffer overflow,” MITRE said. “The product may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent read operation then produces undefined or unexpected results.” What’s more, the vulnerability can be used to work around ASLR and similar bypass protection mechanisms and chained together with other flaws for RCE.
Given the severity of the vulnerability, Google decided not to share additional details until the vast majority of browsers had been updated.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
Via BleepingComputer
