{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-044.pdf"
    },
    "title": "Zero-day Vulnerability in Chrome",
    "serial_number": "2024-044",
    "publish_date": "16-05-2024 11:23:40",
    "description": "On May 15, 2024, Google has released an advisory addressing nine vulnerabilities, including a new zero-day bug identified as \"CVE-2024-4947\". It has been reported that this vulnerability is being actively exploited. This is the seventh zero-day vulnerability fixed by Google this year.<br>\n",
    "url_title": "2024-044",
    "content_markdown": "---\ntitle: 'Zero-day Vulnerability in\u00a0Chrome'\nnumber: '2024-044'\nversion: '1.0'\noriginal_date: 'May 15, 2024'\ndate: 'May 16, 2024'\n---\n\n_History:_\n\n* _16/05/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn May 15, 2024, Google has released an advisory addressing nine vulnerabilities, including a new zero-day bug identified as `CVE-2024-4947`. It has been reported that this vulnerability is being actively exploited [1]. This is the seventh zero-day vulnerability fixed by Google this year.\n\n# Technical Details\n\n- The vulnerability `CVE-2024-4947` is a type confusion bug in the V8 JavaScript and WebAssembly engine [2].\n- The vulnerability `CVE-2024-4761` is an out-of-bounds write bug impacting the V8 JavaScript and WebAssembly engine [3].\n- The vulnerability `CVE-2024-4671` is a use-after-free in a Visuals component [4].\n- The vulnerability `CVE-2024-3159` is an out of bounds memory access in the V8 engines [5]. \n- The vulnerability `CVE-2024-2887` is a type confusion bug in the WebAssembly engine [6].\n- The vulnerability `CVE-2024-2886` is a use after free bug in WebCodecs [6].\n- The vulnerability `CVE-2024-0519` is an out of bounds memory access in the V8 engines [7].\n\n# Affected Products\n\nGoogle Chrome prior to version 125.0.6422.60/.61 for Windows and Mac, 125.0.6422.60 for Linux are impacted [1]. Other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also affected.\n\n# Recommendations\n\nIt is recommended updating Google Chrome browsers to the latest version. It is also advised updating other Chromium-based browsers when fixes become available.\n\n# References\n\n[1] <https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_15.html>\n\n[2] <https://thehackernews.com/2024/05/google-patches-yet-another-actively.html>\n\n[3] <https://thehackernews.com/2024/05/new-chrome-zero-day-vulnerability-cve.html>\n\n[4] <https://thehackernews.com/2024/05/chrome-zero-day-alert-update-your.html>\n\n[5] <https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop.html>\n\n[6] <https://chromereleases.googleblog.com/2024/03/stable-channel-update-for-desktop_26.html>\n\n[7] <https://www.cert.europa.eu/publications/security-advisories/2024-012/>\n\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>16/05/2024 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On May 15, 2024, Google has released an advisory addressing nine vulnerabilities, including a new zero-day bug identified as <code>CVE-2024-4947</code>. It has been reported that this vulnerability is being actively exploited [1]. This is the seventh zero-day vulnerability fixed by Google this year.</p><h2 id=\"technical-details\">Technical Details</h2><ul><li>The vulnerability <code>CVE-2024-4947</code> is a type confusion bug in the V8 JavaScript and WebAssembly engine [2].</li><li>The vulnerability <code>CVE-2024-4761</code> is an out-of-bounds write bug impacting the V8 JavaScript and WebAssembly engine [3].</li><li>The vulnerability <code>CVE-2024-4671</code> is a use-after-free in a Visuals component [4].</li><li>The vulnerability <code>CVE-2024-3159</code> is an out of bounds memory access in the V8 engines [5]. </li><li>The vulnerability <code>CVE-2024-2887</code> is a type confusion bug in the WebAssembly engine [6].</li><li>The vulnerability <code>CVE-2024-2886</code> is a use after free bug in WebCodecs [6].</li><li>The vulnerability <code>CVE-2024-0519</code> is an out of bounds memory access in the V8 engines [7].</li></ul><h2 id=\"affected-products\">Affected Products</h2><p>Google Chrome prior to version 125.0.6422.60/.61 for Windows and Mac, 125.0.6422.60 for Linux are impacted [1]. Other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also affected.</p><h2 id=\"recommendations\">Recommendations</h2><p>It is recommended updating Google Chrome browsers to the latest version. It is also advised updating other Chromium-based browsers when fixes become available.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_15.html\">https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_15.html</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://thehackernews.com/2024/05/google-patches-yet-another-actively.html\">https://thehackernews.com/2024/05/google-patches-yet-another-actively.html</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://thehackernews.com/2024/05/new-chrome-zero-day-vulnerability-cve.html\">https://thehackernews.com/2024/05/new-chrome-zero-day-vulnerability-cve.html</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://thehackernews.com/2024/05/chrome-zero-day-alert-update-your.html\">https://thehackernews.com/2024/05/chrome-zero-day-alert-update-your.html</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop.html\">https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop.html</a></p><p>[6] <a rel=\"noopener\" target=\"_blank\" href=\"https://chromereleases.googleblog.com/2024/03/stable-channel-update-for-desktop_26.html\">https://chromereleases.googleblog.com/2024/03/stable-channel-update-for-desktop_26.html</a></p><p>[7] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.cert.europa.eu/publications/security-advisories/2024-012/\">https://www.cert.europa.eu/publications/security-advisories/2024-012/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}