Google Releases Security Update for Exploited Vulnerability CVE-2024-4947

Security update addresses an exploited vulnerability and eight others in Google Chrome

Threat ID:: CC-4494
Threat Severity:: Medium
Published:: 16 May 2024 2:36 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Security update addresses an exploited vulnerability and eight others in Google Chrome

Affected platforms

The following platforms are known to be affected:

Google Chrome for Windows, macOS and Linux

All prior to 125.0.6422.60/.61 for Windows
All prior to 125.0.6422.60/.61 for macOS
All prior to 125.0.6422.60 for Linux

Threat details

Introduction

Google has released a security update which addresses one exploited vulnerability and eight others in Google Chrome for Windows, macOS, and Linux.

Exploit for CVE-2024-4947 in the wild

Google acknowledges that an exploit for CVE-2024-4947 exists in the wild.

CVE-2024-4947 Type Confusion in V8. (High). Type Confusion in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

Remediation advice

Affected organisations are encouraged to review the Chrome Release 125.0.6422.60 advisory and apply the necessary updates to the latest release.

Definitive source of threat updates

https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_15.html

CVE Vulnerabilities

Status Published

CVE-2024-4947

Type Confusion in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Status Published

CVE-2024-4948

Use after free in Dawn in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Status Published

CVE-2024-4949

Use after free in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Status Published

CVE-2024-4950

Inappropriate implementation in Downloads in Google Chrome prior to 125.0.6422.60 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

Last edited: 16 May 2024 2:36 pm