Google on Tuesday released updates to its Chrome browser to fix four security issues, including an actively exploited zero-day flaw.
The issue, tracked as CVE-2024-0519, is related to out-of-bounds memory access in the V8 JavaScript and WebAssembly engines, which can be weaponized by threat actors to trigger a crash.
“By reading out-of-bounds memory, an attacker might be able to get secret values, such as memory addresses, which can be bypass protection mechanisms such as ASLR in order to improve the reliability and likelihood of exploiting a separate weakness to achieve code execution instead of just denial of service,” according to MITRE’s Common Weakness Enumeration (CWE).
Additional details regarding the nature of the attacks and potential threats exploiting them have been withheld in an effort to prevent further exploitation. This issue was reported anonymously on January 11, 2024.
“Out-of-bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” reads a description of the flaw on the NIST’s National Vulnerability Database (NVD).
This development marks the first actively used zero-day to be patched by Google in Chrome in 2024. Last year, the tech giant resolved a total of 8 such actively used zero-days in browsers.
To mitigate potential threats, users are advised to upgrade to Chrome version 120.0.6099.224/225 for Windows, 120.0.6099.234 for macOS, and 120.0.6099.224 for Linux.
Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes when they become available.