Google has fixed its first actively exploited Chrome zero-day vulnerability of the year.
The flaw is tracked as CVE-2024-0519 and allows attackers to access sensitive data or conduct denial-of-service attacks. The flaw could also be linked to other vulnerabilities to achieve Remote Code Execution (RCE), it said.
“Google is aware of reports that an exploit for CVE-2024-0519 exists in the wild,” the browser giant said in a statement. advisory published earlier this week.
No details yet
The latest version of the browser is 120.0.6099.224/225 for Windows, 120.0.6099.234 for Mac and 120.0.6099.224 for Linux. Although Google usually says that the rollout of the patch to the Stable Desktop channel will be gradual, it was already available when we just tried to update the browser.
Still, the update wasn’t automatic and we had to open the Settings menu and check for updates.
CVE-2024-0519 is described as a serious vulnerability in out-of-bounds memory access in the Chrome V8 JavaScript engine.
“The expected sentinel may not be in out-of-bounds memory, causing excessive data reads, leading to a segmentation error or a buffer overflow,” MITER said. “The product may modify an index or perform pointer calculations that reference a memory location that is outside the bounds of the buffer. A subsequent read operation may produce undefined or unexpected results.” Furthermore, the vulnerability can be used to bypass ASLR and similar bypass protection mechanisms and linked to other flaws for RCE.
Given the severity of the vulnerability, Google has decided not to share additional details until the vast majority of browsers have been updated.
“Access to bug details and links may remain limited until a majority of users have been updated with a fix,” Google said. “We will also enforce restrictions if the bug exists in a third-party library that other projects similarly depend on but have not yet been resolved.”
Through BleepingComputer