Google on Wednesday announced the availability of a Chrome 124 update that patches four vulnerabilities, including a critical security hole.
The critical vulnerability, tracked as CVE-2024-4058, has been described as a type confusion bug in the ANGLE graphics layer engine.
Considering that it has been assigned a ‘critical’ severity rating, the flaw can likely be exploited remotely for arbitrary code execution or sandbox escapes with limited user interaction.
Only a few Chrome vulnerabilities have been assigned ‘critical’ severity ratings in the past years.
Google has credited two members of Qrious Secure for reporting CVE-2024-4058. They have been awarded a $16,000 bounty for their findings.
Qrious Secure describes itself as a group of “experienced hackers who love nothing more than finding vulnerabilities and vulnerabilities and exploiting them for fun and profit”.
The group has reported at least two other Chrome vulnerabilities to Google: CVE-2024-0517, which allows remote code execution, and CVE-2024-0223, which the researchers said “can be exploited directly from JavaScript, potentially granting GPU privilege permissions”. Both were patched earlier this year.
Google has not mentioned anything about CVE-2024-4058 being exploited in the wild. It’s not uncommon for threat actors to exploit type confusion bugs found in Chrome, but they typically impact the V8 JavaScript engine.
The latest Chrome update also patches two high-severity vulnerabilities for which bug bounties have yet to be determined: CVE-2024-4059, an out-of-bounds read in the V8 API, and CVE-2024-4060, a use-after-free in the Dawn component.
Related: Chrome to Fight Cookie Theft With Device Bound Session Credentials
Related: Google Patches Chrome Flaw That Earned Hackers $42,500 at Pwn2Own
Related: Chrome 124, Firefox 125 Patch High-Severity Vulnerabilities
