On Tuesday, Google released updates to address four security issues in its Chrome browser, including an actively exploited zero-day flaw.
The issue is tracked as CVE-2024-0519V8 refers to out-of-bounds memory access in the JavaScript and WebAssembly engine, which can be weaponized by threat actors to cause a crash.
“By reading out-of-bounds memory, an attacker can obtain hidden values such as memory addresses that can bypass protection mechanisms such as ASLR to increase reliability and the likelihood of exploiting a separate vulnerability to obtain code execution instead of just a denial of service,” according to MITRE’s Common Vulnerability List (CWE).
Additional details about the nature of the attacks and the threat actors that might exploit them have been withheld to prevent future exploitation. Issue reported anonymously on January 11, 2024.
“Before 120.0.6099.224, out-of-bounds memory access in Google Chrome V8 allowed a remote attacker to exploit stack corruption via a crafted HTML page” description of the defect In NIST’s National Vulnerability Database (NVD).
The development is a zero-day that was first actively exploited by Google in 2024 in Chrome. Last year, the tech giant solved a total of 8 such actively used zero days in the browser.
To mitigate potential threats, users are advised to upgrade to Chrome version 120.0.6099.224/225 for Windows, 120.0.6099.234 for macOS, and 120.0.6099.224 for Linux.
Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera and Vivaldi are also advised to apply fixes when available.