Google Patches Yet Another Actively Exploited Chrome Zero-Day Vulnerability

Google has released updates to address a series of nine security vulnerabilities in its Chrome browser, including a newly discovered zero-day exploit that has been actively used.

Identified as CVE-2024-4947, this vulnerability is linked to a type confusion bug found in the V8 JavaScript and WebAssembly engine. It was reported by Kaspersky researchers Vasily Berdnikov and Boris Larin on May 13, 2024.

Type confusion vulnerabilities occur when a program attempts to access a resource with an incompatible type. These vulnerabilities can have severe consequences, allowing threat actors to execute arbitrary code, cause crashes, and perform out-of-bounds memory access.

This release marks the third zero-day exploit patched by Google within a week, following CVE-2024-4671 and CVE-2024-4761.

As is customary, Google has not disclosed further details about the attacks to prevent further exploitation. "Google is aware that an exploit for CVE-2024-4947 exists in the wild," the company stated.

With CVE-2024-4947, Google has now addressed a total of seven zero-day exploits in Chrome since the beginning of the year:

- CVE-2024-0519 - Out-of-bounds memory access in V8

- CVE-2024-2886 - Use-after-free in WebCodecs (demonstrated at Pwn2Own 2024)

- CVE-2024-2887 - Type confusion in WebAssembly (demonstrated at Pwn2Own 2024)

- CVE-2024-3159 - Out-of-bounds memory access in V8 (demonstrated at Pwn2Own 2024)

- CVE-2024-4671 - Use-after-free in Visuals

- CVE-2024-4761 - Out-of-bounds write in V8

Users are advised to update to Chrome version 125.0.6422.60/.61 for Windows and macOS, and version 125.0.6422.60 for Linux to mitigate these potential threats.

Furthermore, users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should apply the updates as soon as they are available.