Google issued critical security updates on Thursday to rectify a zero-day flaw in Chrome, which it disclosed has been actively exploited in live environments.
Identified as CVE-2024-4671, this high-severity vulnerability has been classified as a use-after-free scenario within the Visuals component. It was brought to Google’s attention by an anonymous researcher on May 7, 2024.
Use-after-free glitches, arising when a program references a memory location post deallocation, can trigger various repercussions, from system crashes to the execution of arbitrary code.
In a brief advisory, Google acknowledged the existence of an exploit for CVE-2024-4671 in the wild, refraining from divulging specific details regarding the exploitation tactics deployed or the identities of the threat actors involved.
This marks the second instance in 2024 wherein Google has addressed actively exploited zero-day vulnerabilities in Chrome.
Earlier in January, the tech conglomerate patched an out-of-bounds memory access anomaly in the V8 JavaScript and WebAssembly engine (CVE-2024-0519, CVSS score: 8.8), capable of causing system crashes.
Furthermore, Google tackled three other zero-day vulnerabilities disclosed during the Pwn2Own hacking competition in Vancouver in March:
- CVE-2024-2886: Use-after-free vulnerability in WebCodecs
- CVE-2024-2887: Type Confusion issue in WebAssembly
- CVE-2024-3159: Out-of-bounds memory access in V8
To safeguard against potential threats, users are strongly urged to update their Chrome browsers to version 124.0.6367.201/.202 for Windows and macOS, and version 124.0.6367.201 for Linux.
Additionally, users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are advised to implement the available fixes in a timely manner.
