Google has patched a critical Chrome vulnerability, tracked as CVE-2024-10487, reported by Apple Security Engineering and Architecture (SEAR) on October 23, 2024.
The vulnerability is an out-of-bounds write issue that resides in the Dawn implementation.
Dawn is an open-source and cross-platform implementation of the WebGPU standard. More precisely it implements webgpu. h that is a one-to-one mapping with the WebGPU IDL. Dawn is meant to be integrated as part of a larger system and is the underlying implementation of WebGPU in Chromium.
It’s unclear if the vulnerability has been actively exploited in attacks in the wild.
Google also addressed a high-severity vulnerability, tracked as CVE-2024-10488, in WebRTC. The vulnerability is a use-after-free issue that resides in the WebRTC, it was reported by Cassidy Kim(@cassidy6564) on October 18, 2024.
Google addressed both issues with the release of Chrome 130.
“The Stable channel has been updated to 130.0.6723.91/.92 for Windows, Mac and 130.0.6723.91 for Linux which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log.” reads the advisory. “The Extended Stable channel has been updated to 130.0.6723.92 for Windows and Mac which will roll out over the coming days/weeks. “
As usual, Google states that bug details and links remain restricted until most users have applied the fix.
Google Chrome is a privileged target of threat actors, in many cases, attackers exploited zero-days in the popular browser.
In August, Google released a security update to address a new Chrome zero-day vulnerability, tracked as CVE-2024-7965 (CVSS score 8.8), that is actively exploited.
The vulnerability is an Inappropriate implementation issue that resides in Chrome’s V8 JavaScript engine.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Google Chrome)