Google on Wednesday announced the release of Chrome 125 to the stable channel with patches for nine vulnerabilities, including four reported by external researchers.
The most important of the bugs is CVE-2024-4947, a high-severity type confusion flaw in the V8 JavaScript engine that has already been exploited.
“Google is aware that an exploit for CVE-2024-4947 exists in the wild,” the internet giant notes in its advisory.
Successful exploitation of the vulnerability could allow “a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page,” a NIST advisory reads.
Google has credited Vasily Berdnikov and Boris Larin of Kaspersky for reporting the flaw on May 13 but has not shared details on the observed exploitation and has yet to disclose the bug bounty it would pay out for it.
The second externally reported bug that Chrome 125 resolves is CVE-2024-4948, a high-severity use-after-free issue in Dawn, the open source, cross-platform implementation of the WebGPU standard in Chromium. No reward has been disclosed for this vulnerability either.
Chrome 125 also resolves a medium-severity use-after-free bug in the V8 engine and a low-severity inappropriate implementation in Downloads. Google says it handed out bug bounty rewards of $7,000 and $1,000 for these two vulnerabilities, respectively.
The latest Chrome iteration is now rolling out as version 125.0.6422.60 for Linux and as versions 125.0.6422.60/.61 for Windows and macOS.
Users are advised to update their browsers as soon as possible, given that CVE-2024-4947 is the third Chrome zero-day to be resolved in one week.
On May 9, Google rolled out patches for CVE-2024-4671, a use-after free flaw in Visuals, and followed up with patches for CVE-2024-4761 on May 14, an out-of-bounds write issue in V8.
CVE-2024-4947 is the fourth Chrome zero-day of 2024 to have been exploited in the wild and the seventh zero-day addressed in the browser this year.
Three of these zero-day vulnerabilities, namely CVE-2024-2886, CVE-2024-2887, and CVE-2024-3159, were patched shortly after being demonstrated at the Pwn2Own Vancouver 2024 hacking contest.
Related: Google Patches Critical Chrome Vulnerability
Related: Chrome 124, Firefox 125 Patch High-Severity Vulnerabilities
Related: Google Pays Out $41,000 for Three Serious Chrome Vulnerabilities
