Pierluigi Paganini May 16, 2024

Google released security updates to address a new actively exploited Chrome zero-day vulnerability, the third in a week.

Google has released a new emergency security update to address a new vulnerability, tracked as CVE-2024-4947, in the Chrome browser, it is the third zero-day exploited in attacks that was disclosed this week.

The vulnerability CVE-2024-4947 is a type confusion that resides in V8 JavaScript engine. The vulnerability was reported by Vasily Berdnikov (@vaber_b) and Boris Larin (@oct0xor) of Kaspersky on May 13, 2024.

“Google is aware that an exploit for CVE-2024-4947 exists in the wild,” reads the advisory published by Google.

This week the IT giant fixed other two actively exploited Chrome zero-day issues, respectively tracked CVE-2024-4671 and CVE-2024-4761.

Below is the list of actively exploited zero-day vulnerabilities in the Chrome browser that have been fixed this year:

• CVE-2024-0519: an out of bounds memory access in the Chrome JavaScript engine. (January 2024)
• CVE-2024-2887:  a type confusion issue that resides in WebAssembly. Manfred Paul demonstrated the vulnerability during the Pwn2Own 2024. (March 2024)
• CVE-2024-2886: a use after free issue that resides in the WebCodecs. The flaw was demonstrated by Seunghyun Lee (@0x10n) of KAIST Hacking Lab during the Pwn2Own 2024. (March 2024)
• CVE-2024-3159: an out-of-bounds memory access in V8 JavaScript engine. The flaw was demonstrated by Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) of Palo Alto Networks during the Pwn2Own 2024 on March 22, 2024. (March 2024)
• CVE-2024-4671: a use-after-free issue that resides in the Visuals component (May 2024). 
• CVE-2024-4761: an out-of-bounds write issue that resides in the V8 JavaScript engine (May 2024). 

Google also addressed the following vulnerabilities:

• [TBD][333414294] High CVE-2024-4948: Use after free in Dawn. Reported by wgslfuzz on 2024-04-09
• [$7000][326607001] Medium CVE-2024-4949: Use after free in V8. Reported by Ganjiang Zhou(@refrain_areu) of ChaMd5-H1 team on 2024-02-24
• [$1000][40065403] Low CVE-2024-4950: Inappropriate implementation in Downloads. Reported by Shaheen Fazim on 2023-06-06

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google)