Connect with us

Hi, what are you looking for?



Google Patches Critical Chrome Vulnerability

Google patches CVE-2024-4058, a critical Chrome vulnerability for which researchers earned a $16,000 reward. 


Google on Wednesday announced the availability of a Chrome 124 update that patches four vulnerabilities, including a critical security hole.

The critical vulnerability, tracked as CVE-2024-4058, has been described as a type confusion bug in the ANGLE graphics layer engine. 

Considering that it has been assigned a ‘critical’ severity rating, the flaw can likely be exploited remotely for arbitrary code execution or sandbox escapes with limited user interaction.

Only a few Chrome vulnerabilities have been assigned ‘critical’ severity ratings in the past years.

Google has credited two members of Qrious Secure for reporting CVE-2024-4058. They have been awarded a $16,000 bounty for their findings.

Qrious Secure describes itself as a group of “experienced hackers who love nothing more than finding vulnerabilities and vulnerabilities and exploiting them for fun and profit”. 

The group has reported at least two other Chrome vulnerabilities to Google: CVE-2024-0517, which allows remote code execution, and CVE-2024-0223, which the researchers said “can be exploited directly from JavaScript, potentially granting GPU privilege permissions”. Both were patched earlier this year.

Google has not mentioned anything about CVE-2024-4058 being exploited in the wild. It’s not uncommon for threat actors to exploit type confusion bugs found in Chrome, but they typically impact the V8 JavaScript engine. 

Advertisement. Scroll to continue reading.

The latest Chrome update also patches two high-severity vulnerabilities for which bug bounties have yet to be determined: CVE-2024-4059, an out-of-bounds read in the V8 API, and CVE-2024-4060, a use-after-free in the Dawn component.

Related: Chrome to Fight Cookie Theft With Device Bound Session Credentials 

Related: Google Patches Chrome Flaw That Earned Hackers $42,500 at Pwn2Own

Related: Chrome 124, Firefox 125 Patch High-Severity Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Fastly announced that Scott Lovett will join the company as Chief Revenue Officer, effective June 3, 2024.

Digital transformation consulting firm Synechron has hired Aaron Momin as CISO.

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

More People On The Move

Expert Insights