Sixth Exploited Zero-Day Found This Year in Google Chrome


Another emergency security update has been released for Google Chrome, this time for CVE-2024-4761. This vulnerability is an out-of-bounds write issue which leads to unauthorized data access, arbitrary code execution, and program crashes. In the advisory released by Google, they acknowledged that this vulnerability is being actively exploited in the wild. Chrome should automatically update over the next few days, but users have been advised to ensure they are up to date. The patched versions of Chrome are:

  • 0.6367.207/.208 for Mac and Windows
  • 0.6367.207 for Linux
  • 0.6367.207 for the “Extended Stable” channel for Mac and Windows.

This advisory comes only days after the release of an advisory for CVE-2024-4671, which is a use-after-free vulnerability in the Visuals component. The Visuals component is responsible to rendering and displaying content in the browser. This flaw also leads to remote code execution and program crashes. Google acknowledged this vulnerability is also being actively exploited in the wild.

The above two patches are the fifth and sixth zero-day vulnerabilities that Google has fixed in Chrome this year. The previously patched vulnerabilities are:

  • CVE-2024-3156: Caused by an out-of-bounds read in the JavaScript engine, this vulnerability allows attackers to use a specially crafted HTML page to extract sensitive data.
  • CVE-2024-2886: A use-after-free vulnerability in the WebCodecs API, attackers can use crafted HTML pages to perform arbitrary reads and writes, leading to remote code execution.
  • CVE-2024-2887: This vulnerability is a confusion flaw in the WebAssembly standard. Attacker leveraging crafted HTML pages can use this flaw for remote code execution.
  • CVE-2024-0519: Another out-of-bounds vulnerability within the JavaScript engine, attackers using crafted HTML pages can leverage heap corruption to obtain unauthorized data access.

With all of these zero-day vulnerabilities being exploited in the wild, Critical Path Security wants to remind everyone to please be sure the latest version is installed on your systems. Especially if you manage Chrome on an Enterprise level and prevent automatic updating. Chrome is an important tool for most workers, and ensuring that security flaws are patched quickly is imperative to keeping the cybersecurity posture for your organization.