Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Pierluigi Paganini March 28, 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during the Pwn2Own Vancouver 2024.

Google addressed several vulnerabilities in the Chrome web browser this week, including two zero-day vulnerabilities, tracked as CVE-2024-2886 and CVE-2024-2887, which were demonstrated during the Pwn2Own Vancouver 2024 hacking competition.

The high-severity vulnerability CVE-2024-2886 is a use after free issue that resides in the WebCodecs. The flaw was demonstrated by Seunghyun Lee (@0x10n) of KAIST Hacking Lab during the Pwn2Own 2024.

The high-serverity vulnerability CVE-2024-2887 is a type confusion issue that resides in WebAssembly. Manfred Paul demonstrated the vulnerability during the Pwn2Own 2024.

Google also addressed the following vulnerabilities:

  • [$10000][327807820] Critical CVE-2024-2883: Use after free in ANGLE. Reported by Cassidy Kim(@cassidy6564) on 2024-03-03
  • [TBD][328958020] High CVE-2024-2885: Use after free in Dawn. Reported by wgslfuzz on 2024-03-11

“The Stable channel has been updated to 123.0.6312.86/.87 for Windows and Mac and 123.0.6312.86 to Linux which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log.” reads the advisory published by the It giant.

The IT giant did not reveal if the vulnerabilities have been actively exploited in the wild.

Mozilla last week addressed two zero-day vulnerabilities in the Firefox web browser exploited during the recent Pwn2Own Vancouver 2024 hacking competition.

The researcher Manfred Paul (@_manfp), who won the competition, exploited the two vulnerabilities, respectively tracked CVE-2024-29944 and CVE-2024-29943.

On Day Two, Paul demonstrated a sandbox escape of Mozilla Firefox by using an OOB Write for the RCE and an exposed dangerous function bug. He earned $100,000 and 10 Master of Pwn points for this hack.

Below is the description of both issues, according to the advisory the vulnerability CVE-2024-29944 affects Desktop Firefox only, it does not affect mobile versions of Firefox:

  • CVE-2024-29943: An attacker was able to perform an out-of-bounds read or write on a JavaScript object by fooling range-based bounds check elimination.
  • CVE-2024-29944: An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process. 

Mozilla released Firefox 124.0.1 and Firefox ESR 115.9.1 to address both issues.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google)

you might also like

leave a comment