Google has released a security update for the Chrome browser to fix the fifth zero-day vulnerability exploited in the wild since the start of the year.
The high-severity issue tracked as CVE-2024-4671 is a “user after free” vulnerability in the Visuals component that handles the rendering and display of content on the browser.
CVE-2024-4671 was discovered and reported to Google by an anonymous researcher, while the company disclosed that it is likely actively exploited.
“Google is aware that an exploit for CVE-2024-4671 exists in the wild,” reads the advisory without providing additional information.
Use after-free flaws are security flaws that occur when a program continues to use a pointer after the memory it points to has been freed, following the completion of its legitimate operations on that region.
Because the freed memory could now contain different data or be used by other software or components, accessing it could result in data leakage, code execution, or crash.
Google addressed the problem with the release of 124.0.6367.201/.202 for Mac/Windows and 124.0.6367.201 for Linux, with the updates rolling out over the coming days/weeks.
For users of the ‘Extended Stable’ channel, fixes will be made available in version 124.0.6367.201 for Mac and Windows, also to roll out later.
Chrome updates automatically when a security update is available, but users can confirm they’re running the latest version by going to Settings > About Chrome, letting the update finish, and then clicking on the ‘Relaunch’ button to apply it.
This latest flaw addressed in Google Chrome is the fifth this year, with three others discovered during the March 2024 Pwn2Own hacking contest in Vancouver.
The complete list of Chrome zero-day vulnerabilities fixed since the start of 2024 also includes the following:
- CVE-2024-0519: A high-severity out-of-bounds memory access weakness within the Chrome V8 JavaScript engine, allowing remote attackers to exploit heap corruption via a specially crafted HTML page, leading to unauthorized access to sensitive information.
- CVE-2024-2887: A high-severity type confusion flaw in the WebAssembly (Wasm) standard. It could lead to remote code execution (RCE) exploits leveraging a crafted HTML page.
- CVE-2024-2886: A use-after-free vulnerability in the WebCodecs API used by web applications to encode and decode audio and video. Remote attackers exploited it to perform arbitrary reads and writes via crafted HTML pages, leading to remote code execution.
- CVE-2024-3159: A high-severity vulnerability caused by an out-of-bounds read in the Chrome V8 JavaScript engine. Remote attackers exploited this flaw using specially crafted HTML pages to access data beyond the allocated memory buffer, resulting in heap corruption that could be leveraged to extract sensitive information.
