Google has rolled out fixes to address a set of nine security issues in its Chrome browser, including a new zero-day that has been exploited in the wild.
Assigned the CVE identifier CVE-2024-4947, the vulnerability relates to a type confusion bug in the V8 JavaScript and WebAssembly engine. It was reported by Kaspersky researchers Vasily Berdnikov and Boris Larin on May 13, 2024.
Type confusion vulnerabilities arise when a program attempts to access a resource with an incompatible type. It can have serious impacts as it allows threat actors to perform out-of-bounds memory access, cause a crash, and execute arbitrary code.
The development marks the third zero-day that Google has patched within a week after CVE-2024-4671 and CVE-2024-4761.
As is typically the case, no additional details about the attacks are available and have been withheld to prevent further exploitation. “Google is aware that an exploit for CVE-2024-4947 exists in the wild,” the company said.
With CVE-2024-4947, a total of seven zero-days have been resolved by Google in Chrome since the start of the year –
- CVE-2024-0519 – Out-of-bounds memory access in V8
- CVE-2024-2886 – Use-after-free in WebCodecs (demonstrated at Pwn2Own 2024)
- CVE-2024-2887 – Type confusion in WebAssembly (demonstrated at Pwn2Own 2024)
- CVE-2024-3159 – Out-of-bounds memory access in V8 (demonstrated at Pwn2Own 2024)
- CVE-2024-4671 – Use-after-free in Visuals
- CVE-2024-4761 – Out-of-bounds write in V8
Users are recommended to upgrade to Chrome version 125.0.6422.60/.61 for Windows and macOS, and version 125.0.6422.60 for Linux to mitigate potential threats.
Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.
