A critical zero-day vulnerability in Google Chrome, identified as CVE-2024-5274, has been actively exploited in the wild, prompting urgent action from security teams. This flaw, with a CVSS score of 9.6, affects the V8 JavaScript engine in Chrome versions prior to 125.0.6422.112. The vulnerability arises from a type confusion error, classified under CWE-843, which allows remote attackers to execute arbitrary code within a sandboxed environment by tricking users into visiting a specially crafted HTML page.
The vulnerability was added to the Known Exploited Vulnerabilities (KEV) catalog on May 28, 2024, the same day it was publicly disclosed. Notably, this zero-day was being exploited before its disclosure, with a time-to-exploit in the wild of negative 0.6 days, highlighting the urgency for users to update their browsers immediately.
Proof-of-concept exploits are already available, increasing the risk of further attacks. The Exploit Prediction Scoring System (EPSS) has assigned it a score of 0.038, indicating a relatively low likelihood of widespread exploitation, yet the critical nature of the flaw demands immediate attention.
Google has released a patch to address this vulnerability, and users are strongly advised to update to the latest version of Chrome to mitigate potential risks. Security teams should prioritize this update, given the vulnerability's critical severity and active exploitation status. Monitoring for unusual activity and ensuring systems are patched will be crucial in defending against potential attacks leveraging this zero-day.
CSURFACE