Google has released emergency patches to fix a new zero-day vulnerability in the Chrome web browser that is being actively exploited in the wild.
The vulnerability, known as CVE-2024-4761, is a high-severity out-of-bounds write bug affecting the V8 JavaScript and WebAssembly engine. It was reported anonymously on May 9, 2024.
Out-of-bounds write bugs are commonly exploited by malicious actors to manipulate data, cause a crash, or execute unauthorized code on compromised systems.
“Google is aware of an exploit for CVE-2024-4761 being used in the wild,” the company stated.
Specific details about the attacks are being withheld to prevent further exploitation of the vulnerability by threat actors.
This disclosure follows the recent patching of CVE-2024-4671, a use-after-free vulnerability in the Visuals component that has also been exploited in real-world attacks.
Google has now fixed a total of six zero-day vulnerabilities this year, with three of them being demonstrated at the Pwn2Own hacking contest in Vancouver in March.
Users are advised to update to Chrome version 124.0.6367.207/.208 for Windows and macOS, and version 124.0.6367.207 for Linux to reduce potential risks.
Users of Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi should also apply the fixes as soon as they are available.