Google has fixed the first major Chrome security flaw of 2024 - so here’s what you need to know before you update

An out-of-bounds Google Chrome flaw allowed hackers to grab sensitive data from vulnerable endpoints

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Googlehas fixed its first, actively exploited, Chrome zero-day vulnerability of the year.

The flaw is tracked as CVE-2024-0519, and allows attackers to gain access to sensitive data, or launchdenial of serviceattacks. The flaw can also be chained with other vulnerabilities to achieve remote code execution (RCE), it was said.

“Google is aware of reports that an exploit for CVE-2024-0519 exists in the wild,” thebrowsergiant said in anadvisorypublished earlier this week.

Reader Offer: Save up to 68% on Aura identity theft protectionTechRadar editors praise Aura’s upfront pricing and simplicity. Aura also includes a password manager, VPN, and antivirus to make its security solution an even more compelling deal. Save up to 50% today.

Preferred partner (What does this mean?)

No details - yet

The latest version of the browser is 120.0.6099.224/225 for Windows, 120.0.6099.234 for Mac, and 120.0.6099.224 for Linux. Even though Google usually says that the rollout of the patch to the Stable Desktop channel will be gradual, it was available when we tried to update the browser just now.

Still, the update was not automatic and required us to bring up the Settings menu and scan for updates.

CVE-2024-0519 is described as a high-severity out-of-bounds memory access weakness in the Chrome V8 JavaScript engine.

“The expected sentinel might not be located in the out-of-bounds memory, causing excessive data to be read, leading to a segmentation fault or a buffer overflow,” MITRE said. “The product may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent read operation then produces undefined or unexpected results.” What’s more, the vulnerability can be used to work around ASLR and similar bypass protection mechanisms and chained together with other flaws for RCE.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Given the severity of the vulnerability, Google decided not to share additional details until the vast majority of browsers had been updated.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

I’ve been a Firefox power user since it launched 20 years ago – here’s why it still beats Chrome and Safari