"Third Chrome Zero-Day Patched by Google Within One Week"

Google recently announced the release of Chrome 125 to the stable channel with patches for nine vulnerabilities, including four reported by external researchers. The most critical bug is CVE-2024-4947, a high-severity type confusion flaw in the V8 JavaScript engine that has already been exploited. Google noted that successfully exploiting the vulnerability could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. The second externally reported bug that Chrome 125 resolves is CVE-2024-4948, a high-severity use-after-free issue in Dawn, the open source, cross-platform implementation of the WebGPU standard in Chromium. Google noted that Chrome 125 also resolves a medium-severity use-after-free bug in the V8 engine and a low-severity inappropriate implementation in Downloads. The latest Chrome iteration is now rolling out as version 125.0.6422.60 for Linux and as versions 125.0.6422.60/.61 for Windows and macOS. Users are advised to update their browsers as soon as possible, given that CVE-2024-4947 is the third Chrome zero-day to be resolved in one week. On May 9, Google rolled out patches for CVE-2024-4671, a use-after free flaw in Visuals, and followed up with patches for CVE-2024-4761 on May 14, an out-of-bounds write issue in V8. CVE-2024-4947 is the fourth Chrome zero-day of 2024 to have been exploited in the wild and the seventh zero-day addressed in the browser this year.

SecurityWeek reports: "Third Chrome Zero-Day Patched by Google Within One Week"