Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Patches Critical Chrome Vulnerability

Google patches CVE-2024-4058, a critical Chrome vulnerability for which researchers earned a $16,000 reward. 

CVE-2024-5274

Google on Wednesday announced the availability of a Chrome 124 update that patches four vulnerabilities, including a critical security hole.

The critical vulnerability, tracked as CVE-2024-4058, has been described as a type confusion bug in the ANGLE graphics layer engine. 

Considering that it has been assigned a ‘critical’ severity rating, the flaw can likely be exploited remotely for arbitrary code execution or sandbox escapes with limited user interaction.

Only a few Chrome vulnerabilities have been assigned ‘critical’ severity ratings in the past years.

Google has credited two members of Qrious Secure for reporting CVE-2024-4058. They have been awarded a $16,000 bounty for their findings.

Qrious Secure describes itself as a group of “experienced hackers who love nothing more than finding vulnerabilities and vulnerabilities and exploiting them for fun and profit”. 

The group has reported at least two other Chrome vulnerabilities to Google: CVE-2024-0517, which allows remote code execution, and CVE-2024-0223, which the researchers said “can be exploited directly from JavaScript, potentially granting GPU privilege permissions”. Both were patched earlier this year.

Google has not mentioned anything about CVE-2024-4058 being exploited in the wild. It’s not uncommon for threat actors to exploit type confusion bugs found in Chrome, but they typically impact the V8 JavaScript engine. 

Advertisement. Scroll to continue reading.

The latest Chrome update also patches two high-severity vulnerabilities for which bug bounties have yet to be determined: CVE-2024-4059, an out-of-bounds read in the V8 API, and CVE-2024-4060, a use-after-free in the Dawn component.

Related: Chrome to Fight Cookie Theft With Device Bound Session Credentials 

Related: Google Patches Chrome Flaw That Earned Hackers $42,500 at Pwn2Own

Related: Chrome 124, Firefox 125 Patch High-Severity Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights