Google Chrome Zero-day Vulnerability (CVE-2024-4947) Actively Exploited in The Wild

Google has released an emergency security update for its Chrome web browser to patch a high-severity vulnerability that is being actively exploited by attackers in the wild.

The zero-day flaw, tracked as CVE-2024-4947, is a type confusion bug in the V8 JavaScript engine that could allow remote code execution attacks.

A type confusion bug in the V8 JavaScript engine refers to a vulnerability where the engine incorrectly interprets the type of an object, leading to logical errors and potentially allowing attackers to execute arbitrary code.

This kind of vulnerability is particularly dangerous because it can be exploited to cause heap corruption by crafting a specific HTML page that triggers the bug, thereby compromising the security of the browser and the underlying system.

Chrome 125.0.6422.60 for Linux and 125.0.6422.60/.61 for Windows and Mac bring several fixes and improvements to the popular web browser. The official release log provides a comprehensive list of changes.

Security researchers Vasily Berdnikov and Boris Larin from Kaspersky discovered the vulnerability on May 13th and reported it to Google.

“Google is aware of an exploit for CVE-2024-4947 existing in the wild and urges users to update their browsers as soon as possible.”

This marks the 7th zero-day exploit and the 2nd zero-day within the week that targeted Chrome users this year, highlighting the persistent threat posed by sophisticated cyber-attacks.

Free On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free

Other Security Fixes

In addition to the zero-day patch, the Chrome 125 update includes 8 other security fixes:

• CVE-2024-4948 (High) – Use after free in Dawn, reported by wgslfuzz
• CVE-2024-4949 (Medium) – Use after free in V8, reported by Ganjiang Zhou
• CVE-2024-4950 (Low) – Inappropriate implementation in Downloads, reported by Shaheen Fazim
• Various other fixes from internal audits and fuzzing

Google has restricted access to bug details until most users have updated Chrome. The company thanked all external researchers as well as its internal security teams for their contributions to this release.

Update Recommended

While Chrome will automatically update for most users, Google urges all Chrome users on Windows, Mac and Linux to ensure they are running version 125.0.6422.60 or later by manually checking for updates.

The new version contains critical security patches to protect against potential attacks exploiting the zero-day vulnerability.

The Chrome team expressed gratitude to all security researchers who collaborated with them during the development cycle, helping to prevent security bugs from reaching the stable channel.

Get 6 Months of ANY.RUN Malware Sandbox Paid Plans for Free before May 31st - Register Here