Google on Tuesday released updates that fix four security issues in its Chrome browser, including an actively exploited zero-day flaw.
This issue is tracked as follows CVE-2024-0519This concerns an out-of-bounds memory access in the V8 JavaScript and WebAssembly engine, which can be weaponized by threat actors to cause a crash.
“By reading out-of-bounds memory, an attacker could potentially obtain secret values such as memory addresses. “In order to improve performance, it is possible to bypass protection mechanisms such as ASLR. It is not just a denial of service, but an execution,” according to MITER’s Common Weakness Enumeration (CWE).
Additional details regarding the nature of the attack and the attackers who may be exploiting it are being withheld to prevent further exploitation. This issue was reported anonymously on January 11, 2024.
“Out-of-bounds memory access in Google Chrome V8 before 120.0.6099.224 could allow a remote attacker to exploit heap corruption via a crafted HTML page.” Defect description Listed in NIST’s National Vulnerability Database (NVD).
This development marks the first actively exploited zero-day that Google will patch in Chrome in 2024. Last year, the tech giant resolved a total of eight such actively exploited zero-days within its browser.
To mitigate potential threats, we recommend upgrading to Chrome version 120.0.6099.224/225 for Windows, 120.0.6099.234 for macOS, and 120.0.6099.224 for Linux.
Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also encouraged to apply the fix as soon as it becomes available.