Google Chrome Zero-day Vulnerability, Eighth this year (CVE-2024-5274)

Another vulnerability in Chrome is being exploited in the wild. Tracked as CVE-2024-5274, this is a type confusion vulnerability in V8 JavaScript engine. Clément Lecigne of Google’s Threat Analysis Group and Brendon Tiszka of Chrome Security have discovered and reported the vulnerability.

CISA acknowledged the active exploitation of CVE-2024-5274 by adding it to its Known Exploited Vulnerabilities Catalog. CISA requested users to patch the flaw before June 18, 2024.

This is the eighth zero-day vulnerability fixed in the year so far. The list includes:

  • CVE-2024-0519: Out-of-bounds memory access in V8 
  • CVE-2024-2887: Type confusion in WebAssembly 
  • CVE-2024-2886: Use-after-free in WebCodecs 
  • CVE-2024-3159: Out-of-bounds memory access in V8 
  • CVE-2024-4671: Use-after-free in Visuals 
  • CVE-2024-4761: Out-of-bounds write in V8 
  • CVE-2024-4947: Type confusion vulnerability in the V8 

Affected Versions

Google Chrome versions before 125.0.6422.112 are affected by this vulnerability.

Mitigation

Customers are requested to upgrade to the latest stable channel version 125.0.6422.112/.113 for Windows Mac and 125.0.6422.112 for Linux.

For more information, please refer to the Google Chrome Release Page.

Qualys Detection

Qualys customers can scan their devices with QIDs 379868 and 379883 to detect vulnerable assets.

Microsoft has released the Edge Stable Channel (Version 125.0.2535.67) to address CVE-2024-5274, which the Chromium team has reported as being exploited in the wild.

Rapid Response with Patch Management (PM)

Qualys Patch Management and its Zero-Touch Patching feature provide a seamless, automated process of patching a vulnerability like this.

Zero-Touch Patching identifies the most vulnerable products in your environment and automates the deployment of necessary patches and configuration adjustments. This not only streamlines the patching process but also ensures vulnerabilities are addressed promptly.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_23.html

Leave a Reply

Your email address will not be published. Required fields are marked *