--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Zero-day Vulnerability in Chrome' number: '2024-044' version: '1.0' original_date: 'May 15, 2024' date: 'May 16, 2024' --- _History:_ * _16/05/2024 --- v1.0 -- Initial publication_ # Summary On May 15, 2024, Google has released an advisory addressing nine vulnerabilities, including a new zero-day bug identified as `CVE-2024-4947`. It has been reported that this vulnerability is being actively exploited [1]. This is the seventh zero-day vulnerability fixed by Google this year. # Technical Details - The vulnerability `CVE-2024-4947` is a type confusion bug in the V8 JavaScript and WebAssembly engine [2]. - The vulnerability `CVE-2024-4761` is an out-of-bounds write bug impacting the V8 JavaScript and WebAssembly engine [3]. - The vulnerability `CVE-2024-4671` is a use-after-free in a Visuals component [4]. - The vulnerability `CVE-2024-3159` is an out of bounds memory access in the V8 engines [5]. - The vulnerability `CVE-2024-2887` is a type confusion bug in the WebAssembly engine [6]. - The vulnerability `CVE-2024-2886` is a use after free bug in WebCodecs [6]. - The vulnerability `CVE-2024-0519` is an out of bounds memory access in the V8 engines [7]. # Affected Products Google Chrome prior to version 125.0.6422.60/.61 for Windows and Mac, 125.0.6422.60 for Linux are impacted [1]. Other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also affected. # Recommendations It is recommended updating Google Chrome browsers to the latest version. It is also advised updating other Chromium-based browsers when fixes become available. # References [1] [2] [3] [4] [5] [6] [7]