In the new stable release of the Chrome browser, Google has fixed three security vulnerabilities affecting the V8 engine, including one zero-day (CVE-2024-0519) with an existing exploit.
About CVE-2024-0519
V8 is an open-source JavaScript and WebAssembly engine developed by the Chromium Project for Chromium and Google Chrome web browsers.
CVE-2024-0519 is an (obviously exploitable) out of bounds memory access that, as noted by NIST, “allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.”
The vulnerability has been flagged by an anonymous researcher.
“Google is aware of reports that an exploit for CVE-2024-0519 exists in the wild,” the Chrome team says.
The other two V8 engine flaws patched in this latest version of Chrome for Mac, Linux and Windows and Android are CVE-2024-0517 (an out of bounds write bug) and CVE-2024-0518 (a type confusion flaw).
Chrome users that have set Chrome to update automatically don’t need to take action, but those who update it manually should do it as soon as possible. (With zero-days in Chrome getting regularly exploited, opting for automatic updates is not a bad idea.)
Fixes in other Chromium-based browsers
Since Microsoft Edge is based on Chromium, Microsoft has announced they are working on releasing a security patch.
“It’s worth highlighting that Microsoft Edge’s enhanced security mode feature mitigates this vulnerability. You can opt-in into this security feature and have peace of mind that Microsoft Edge is protecting you against this exploit,” they added.
Other popular Chromium-based browsers such as Brave, Opera, and Vivaldi will likely include those fixes soon.