Pierluigi Paganini April 03, 2024

Google fixed another Chrome zero-day vulnerability exploited during the Pwn2Own hacking competition in March.

Google has addressed another zero-day vulnerability in the Chrome browser, tracked as CVE-2024-3159, that was exploited during the Pwn2Own hacking competition in March, 2024.

The vulnerability CVE-2024-3159 is an out of bounds memory access in V8 JavaScript engine. The flaw was demonstrated by Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) of Palo Alto Networks during the Pwn2Own 2024 on March 22, 2024. The duo earned $42,500 and 9 Master of Pwn points for demonstrating their exploit against Google Chrome and Microsoft Edge.

A remote attacker can exploit this issue by tricking the victim into visiting a specially crafted HTML page to gain access to data beyond the memory buffer triggering heap corruption. The exploitation can lead to the disclosure of sensitive information or a crash.

Palo Alto Networks security researchers Edouard Bochin and Tao Yan demoed the zero-day on the second day of Pwn2Own Vancouver 2024 to defeat V8 hardening.

“The Stable channel has been updated to 123.0.6312.105/.106/.107 for Windows and Mac and 123.0.6312.105 to Linux which will roll out over the coming days/weeks.” reads the Release updates from the Chrome team.

The IT giant also addressed the following issues:

• [$7000][329130358] High CVE-2024-3156: Inappropriate implementation in V8. Reported by Zhenghang Xiao (@Kipreyyy) on 2024-03-12
• [$3000][329965696] High CVE-2024-3158: Use after free in Bookmarks. Reported by undoingfish on 2024-03-17

At the end of March, Google addressed several vulnerabilities in the Chrome web browser this week, including two zero-day vulnerabilities, tracked as CVE-2024-2886 and CVE-2024-2887, which were demonstrated during the Pwn2Own Vancouver 2024 hacking competition.

The high-severity vulnerability CVE-2024-2886 is a use after free issue that resides in the WebCodecs. The flaw was demonstrated by Seunghyun Lee (@0x10n) of KAIST Hacking Lab during the Pwn2Own 2024.

The high-serverity vulnerability CVE-2024-2887 is a type confusion issue that resides in WebAssembly. Manfred Paul demonstrated the vulnerability during the Pwn2Own 2024.

In January, Google addressed the first Chrome zero-day vulnerability of the year that is actively being exploited in the wild.

The high-serverity vulnerability, tracked as CVE-2024-0519, is an out of bounds memory access in the Chrome JavaScript engine. The flaw was reported by Anonymous on January 11, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google)