Google has released an emergency security update for a zeroday vulnerability in Chrome browser that is being actively exploited by attackers in the wild.
The vulnerability, tracked as CVE-2024-4947, is a type of confusion bug in the V8 JavaScript engine that could allow remote code execution attacks.
A type confusion bug in the V8 JavaScript engine related to a vulnerability where the engine incorrectly interprets the type of an object, leading to logical errors and potentially allowing attackers to execute arbitrary code.
Vasily Berdnikov and Boris Larin from Kaspersky discovered the vulnerability on May 13th and reported it to Google.
Google is aware of an exploit for CVE-2024-4947 existing in the wild and urges users to update their browsers as soon as possible.
This marks the 7th zero-day exploit and the 2nd zero-day within the week that targeted Chrome users this year, highlighting the persistent threat posed by sophisticated cyber-attacks.
Along with this zero-day patch, the Chrome 125 update includes 8 other security fixes, Below are some of important ones.
- CVE-2024-4948 (High) – Use after free in Dawn, reported by wgslfuzz
- CVE-2024-4949 (Medium) – Use after free in V8, reported by Ganjiang Zhou
- CVE-2024-4950 (Low) – Inappropriate implementation in Downloads, reported by Shaheen Fazim
Google urges all Chrome users on Windows, Mac, and Linux to ensure they are running version 125.0.6422.60 or later by manually checking for updates.
Google has restricted access to bug details until most users have updated Chrome. The company thanked all external researchers as well as its internal security teams for their contributions to this release.
