Pierluigi Paganini May 10, 2024

Since the start of the year, Google released an update to fix the fifth actively exploited zero-day vulnerability in the Chrome browser.

Google this week released security updates to address a zero-day flaw, tracked as CVE-2024-4671, in Chrome browser. The vulnerability is the fifth zero-day flaw in the Google browser that is exploited in the wild since the start of the year.

The vulnerability is a use-after-free issue that resides in the Visuals component. The flaw was reported by an anonymous researcher on May 7, 2024.

“Google is aware that an exploit for CVE-2024-4671 exists in the wild.” reads the advisory published by Google. As usual, the IT giant has not revealed details about the attacks exploiting this vulnerability.

The company addressed the vulnerability with the release of 124.0.6367.201/.202 for Mac/Windows and 124.0.6367.201 for Linux, with the updates rolling out over the coming days/weeks.

Below is the list of actively exploited zero-day in the Chrome browser that have been fixed this year:

• CVE-2024-0519: an out of bounds memory access in the Chrome JavaScript engine. (January 2024)
• CVE-2024-2887:  a type confusion issue that resides in WebAssembly. Manfred Paul demonstrated the vulnerability during the Pwn2Own 2024. (March 2024)
• CVE-2024-2886: a use after free issue that resides in the WebCodecs. The flaw was demonstrated by Seunghyun Lee (@0x10n) of KAIST Hacking Lab during the Pwn2Own 2024. (March 2024)
• CVE-2024-3159: an out-of-bounds memory access in V8 JavaScript engine. The flaw was demonstrated by Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) of Palo Alto Networks during the Pwn2Own 2024 on March 22, 2024. (March 2024)

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google)