Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Third Chrome Zero-Day Patched by Google Within One Week

Google releases Chrome 125 to the stable channel with patches for nine vulnerabilities, including a zero-day.

CVE-2024-5274

Google on Wednesday announced the release of Chrome 125 to the stable channel with patches for nine vulnerabilities, including four reported by external researchers.

The most important of the bugs is CVE-2024-4947, a high-severity type confusion flaw in the V8 JavaScript engine that has already been exploited.

“Google is aware that an exploit for CVE-2024-4947 exists in the wild,” the internet giant notes in its advisory.

Successful exploitation of the vulnerability could allow “a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page,” a NIST advisory reads.

Google has credited Vasily Berdnikov and Boris Larin of Kaspersky for reporting the flaw on May 13 but has not shared details on the observed exploitation and has yet to disclose the bug bounty it would pay out for it.

The second externally reported bug that Chrome 125 resolves is CVE-2024-4948, a high-severity use-after-free issue in Dawn, the open source, cross-platform implementation of the WebGPU standard in Chromium. No reward has been disclosed for this vulnerability either.

Chrome 125 also resolves a medium-severity use-after-free bug in the V8 engine and a low-severity inappropriate implementation in Downloads. Google says it handed out bug bounty rewards of $7,000 and $1,000 for these two vulnerabilities, respectively.

The latest Chrome iteration is now rolling out as version 125.0.6422.60 for Linux and as versions 125.0.6422.60/.61 for Windows and macOS.

Advertisement. Scroll to continue reading.

Users are advised to update their browsers as soon as possible, given that CVE-2024-4947 is the third Chrome zero-day to be resolved in one week.

On May 9, Google rolled out patches for CVE-2024-4671, a use-after free flaw in Visuals, and followed up with patches for CVE-2024-4761 on May 14, an out-of-bounds write issue in V8.

CVE-2024-4947 is the fourth Chrome zero-day of 2024 to have been exploited in the wild and the seventh zero-day addressed in the browser this year.

Three of these zero-day vulnerabilities, namely CVE-2024-2886, CVE-2024-2887, and CVE-2024-3159, were patched shortly after being demonstrated at the Pwn2Own Vancouver 2024 hacking contest.

Related: Google Patches Critical Chrome Vulnerability

Related: Chrome 124, Firefox 125 Patch High-Severity Vulnerabilities

Related: Google Pays Out $41,000 for Three Serious Chrome Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights