On Thursday, Google issued patches to rectify a high-severity security vulnerability in its Chrome browser, which has been actively exploited.
Designated as CVE-2024-5274, this flaw is a type confusion bug within the V8 JavaScript and WebAssembly engine. It was reported by Clément Lecigne from Google’s Threat Analysis Group and Brendon Tiszka from Chrome Security on May 20, 2024.
Type confusion vulnerabilities arise when a program tries to access a resource using an incompatible type. Such flaws can have severe repercussions, enabling threat actors to execute out-of-bounds memory access, induce crashes, and run arbitrary code.
This update marks the fourth zero-day vulnerability that Google has addressed this month, following CVE-2024-4671, CVE-2024-4761, and CVE-2024-4947.
Google has not divulged further technical specifics about the flaw but confirmed that “an exploit for CVE-2024-5274 exists in the wild.” It’s unclear whether this vulnerability is a bypass for CVE-2024-4947, another type confusion bug in V8.
With this recent fix, Google has resolved a total of eight zero-day vulnerabilities in Chrome since the beginning of the year:
- CVE-2024-0519: Out-of-bounds memory access in V8
- CVE-2024-2886: Use-after-free in WebCodecs (demonstrated at Pwn2Own 2024)
- CVE-2024-2887: Type confusion in WebAssembly (demonstrated at Pwn2Own 2024)
- CVE-2024-3159: Out-of-bounds memory access in V8 (demonstrated at Pwn2Own 2024)
- CVE-2024-4671: Use-after-free in Visuals
- CVE-2024-4761: Out-of-bounds write in V8
- CVE-2024-4947: Type confusion in V8
Users are urged to update to Chrome version 125.0.6422.112/.113 for Windows and macOS, and version 125.0.6422.112 for Linux to mitigate potential threats.
Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the patches as soon as they become available.