Google on Monday shipped emergency fixes to address a new zero-day flaw in the Chrome web browser that has come under active exploitation in the wild.
The high-severity vulnerability, tracked as CVE-2024-4761, is an out-of-bounds write bug impacting the V8 JavaScript and WebAssembly engine. It was reported anonymously on May 9, 2024.
Out-of-bounds write bugs could be typically exploited by malicious actors to corrupt data, or induce a crash or execute arbitrary code on compromised hosts.
“Google is aware that an exploit for CVE-2024-4761 exists in the wild,” the tech giant said.
Additional details about the nature of the attacks have been withheld to prevent more threat actors from weaponizing the flaw.
The disclosure comes merely days after the company patched CVE-2024-4671, a use-after-free vulnerability in the Visuals component that has also been exploited in real-world attacks.
With the latest fix, Google has addressed a total of six zero-days since the start of the year, three of which were demonstrated at the Pwn2Own hacking contest in Vancouver in March –
- CVE-2024-0519 – Out-of-bounds memory access in V8 (actively exploited)
- CVE-2024-2886 – Use-after-free in WebCodecs
- CVE-2024-2887 – Type confusion in WebAssembly
- CVE-2024-3159 – Out-of-bounds memory access in V8
- CVE-2024-4671 – Use-after-free in Visuals (actively exploited)
Users are recommended to upgrade to Chrome version 124.0.6367.207/.208 for Windows and macOS, and version 124.0.6367.207 for Linux to mitigate potential threats.
Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.