Google has issued updates to address four security vulnerabilities in its Chrome browser, including a zero-day flaw currently being actively exploited.
The identified issue, designated as CVE-2024-0519, revolves around an out-of-bounds memory access within the V8 JavaScript and WebAssembly engine. Exploitation of this flaw could lead to a system crash.According to the MITRE Common Weakness Enumeration (CWE), malicious actors could potentially utilize this vulnerability to access secret values, like memory addresses. These values could aid in bypassing protection mechanisms like ASLR, thereby increasing the chances of exploiting other weaknesses to achieve code execution rather than just denial of service.Further details regarding the specifics of the attacks and the actors behind them have not been disclosed to prevent further exploitation. The vulnerability was anonymously reported on January 11, 2024.The flaw is described on the National Vulnerability Database (NVD) as “out-of-bounds memory access in V8 in Google Chrome prior to 120.0.6099.224,” which could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page.This marks the first zero-day vulnerability actively exploited and patched by Google in Chrome for the year 2024. In the preceding year, Google addressed a total of eight similarly actively exploited zero-day vulnerabilities in the browser.Users are strongly advised to update to Chrome version 120.0.6099.224/225 for Windows, 120.0.6099.234 for macOS, and 120.0.6099.224 for Linux as a precautionary measure against potential threats.Users of Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also urged to apply the necessary updates as soon as they become available.
