Google has fixed its first actively exploited Chrome zero-day vulnerability of the year.
The flaw is tracked as CVE-2024-0519 and allows attackers to gain access to sensitive data or launch denial of service attacks. It was said that the flaw can also be chained with other vulnerabilities to achieve remote code execution (RCE).
“Google is aware of reports that an exploit exists for CVE-2024-0519,” the browser giant said in an advisory published earlier this week.
No details – yet
The latest version of the browser is 120.0.6099.224/225 for Windows, 120.0.6099.234 for Mac, and 120.0.6099.224 for Linux. Although Google usually says that the release of the patch to the stable desktop channel will be gradual, it was available when we tried to update the browser a moment ago.
Still, the update was not automatic and required us to open the Settings menu and check for updates.
CVE-2024-0519 is described as a high severity out-of-bounds memory access weakness in the Chrome V8 JavaScript engine.
“The expected sentinel might not be located in out-of-bounds memory, resulting in excessive data reading, leading to a segmentation fault or buffer overflow,” MITER said. “The product may modify an index or perform pointer arithmetic that references a memory location that is outside the bounds of the buffer. A subsequent read operation produces undefined or unexpected results.” Furthermore, the vulnerability can be used to bypass ASLR and similar bypass protection mechanisms and be chained with other flaws for RCE.
Given the severity of the vulnerability, Google decided not to share additional details until the vast majority of browsers have been updated.
“Access to the bug details and links may remain restricted until the majority of users are updated with a fix,” Google said. “We will also maintain restrictions if the bug exists in a third-party library that other projects depend on in a similar way, but which has not yet been fixed.”
Through beepcomputer
