Google has released security updates to address four vulnerabilities impacting Chrome. One of the four vulnerabilities, CVE-2024-0519, is exploited in the wild. The vulnerability was reported anonymously to Google. CVE-2024-0519 is the first zero-day vulnerability addressed by Google this year.
CVE-2024-0519 is a high-severity out-of-bounds memory access vulnerability in the V8 JavaScript and WebAssembly engines. An attacker may exploit the vulnerability to trigger a crash.
Acknowledging its active exploitation, CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog and requested users to patch it before February 2, 2024.
Other vulnerabilities patched in the updates are:
CVE-2024-0517
Toan (suto) Pham of Qrious Secure has discovered and reported the vulnerability to Google. This is a high-severity out-of-bounds write vulnerability in V8.
CVE-2024-0518
Ganjiang Zhou of the team ChaMd5-H1 has discovered and reported the vulnerability to Google. This is a high-severity type confusion vulnerability in V8.
Affected Versions
Google Chrome versions before 120.0.6099.234 are affected by this vulnerability.
Mitigation
Customers are requested to upgrade to the latest stable channel version 120.0.6099.234 for Mac, 120.0.6099.224 for Linux, and 120.0.6099.224/225 for Windows.
Google will release Extended Stable channel 120.0.6099.234 for Mac and 120.0.6099.225 for Windows in the coming weeks.
For more information, please refer to the Google Chrome Release Page.
Qualys Detection
Qualys customers can scan their devices with QIDs 379263 and 379271 to detect vulnerable assets.
Microsoft has released the Edge Stable Channel (Version 120.0.2210.133) to address CVE-2023-0519, which the Chromium team has reported as being exploited in the wild.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_16.html