Tuesday, May 20, 2025
HomeChrome2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Published on

SIEM as a Service

Follow Us on Google News

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including two zero-day exploits showcased at the prestigious Pwn2Own 2024 hacking competition.

The update, which affects Chrome users on Windows, Mac, and Linux, elevates the browser version to 123.0.6312.86/.87 for Windows and Mac, and 123.0.6312.86 for Linux, with the rollout expected to reach users progressively over the coming days and weeks.

Security Fixes and Rewards

Google’s latest security update includes fixes for seven vulnerabilities, with a special emphasis on those discovered by external researchers.

- Advertisement - Google News

The tech giant has a longstanding tradition of rewarding these contributors for identifying and reporting bugs.

This practice enhances Chrome’s security and fosters a collaborative relationship between the company and the cybersecurity community.

Critical CVE-2024-2883: Use After Free in ANGLE

One of the most critical issues addressed in this update is CVE-2024-2883, a use-after-free vulnerability in ANGLE, a cross-platform graphics engine abstraction layer used by Chrome to improve graphics performance on various platforms.

This vulnerability was reported by Cassidy Kim (@cassidy6564) on March 3, 2024, and has been rewarded with a $10,000 bounty. Use-after-free vulnerabilities can lead to arbitrary code execution, making them particularly dangerous.

High CVE-2024-2885: Use After Free in Dawn

Another significant vulnerability patched in this release is CVE-2024-2885, a high-severity use-after-free issue in Dawn, an open-source and cross-platform implementation of the WebGPU standard.

This bug was reported by an entity known as Fuzz on March 11, 2024.

The severity of this vulnerability underscores the importance of timely updates to mitigate potential risks.

High CVE-2024-2886 and CVE-2024-2887: Exploits Unveiled at Pwn2Own 2024

However, the spotlight shines on two high-severity vulnerabilities, CVE-2024-2886 and CVE-2024-2887, unveiled during the Pwn2Own 2024 competition.

CVE-2024-2886, reported by Seunghyun Lee (@0x10n) of KAIST Hacking Lab, is a use-after-free vulnerability in WebCodecs, a component critical for efficient media content encoding and decoding.

CVE-2024-2887, reported by Manfred Paul, involves type confusion in WebAssembly, a binary instruction format for a stack-based virtual machine that enables high-performance applications on the web.

These discoveries at Pwn2Own highlight the event’s role in identifying and mitigating potential threats before they can be exploited maliciously.

Ongoing Security Efforts

Google also acknowledges the contributions of its internal security team, whose ongoing efforts have led to various fixes identified through internal audits, fuzzing, and other initiatives.

The company’s use of tools like AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL is crucial in detecting and addressing security bugs.

Chrome users are urged to update their browsers immediately to protect against these vulnerabilities.

For those interested in switching release channels or reporting new issues, Google provides resources and a community help forum for assistance and learning about common issues.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

CISA Includes MDaemon Email Server XSS Flaw in KEV Catalog

Cybersecurity and Infrastructure Security Agency (CISA) has added a cross-site scripting (XSS) vulnerability affecting...

Hackers Use Weaponized RAR Archives to Deliver Pure Malware in Targeted Attacks

Russian organizations have become prime targets of a sophisticated malware campaign deploying the Pure...

Cyberattack on Serviceaide Compromises Data of 480,000 Catholic Health Patients

Data breach at Serviceaide, Inc., a technology vendor for Catholic Health, exposed sensitive information...

Threat Actors Deploy Bumblebee Malware via Poisoned Bing SEO Results

A newly identified cyberattack campaign has revealed the persistent and evolving threat of Bumblebee...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

CISA Includes MDaemon Email Server XSS Flaw in KEV Catalog

Cybersecurity and Infrastructure Security Agency (CISA) has added a cross-site scripting (XSS) vulnerability affecting...

Hackers Use Weaponized RAR Archives to Deliver Pure Malware in Targeted Attacks

Russian organizations have become prime targets of a sophisticated malware campaign deploying the Pure...

Cyberattack on Serviceaide Compromises Data of 480,000 Catholic Health Patients

Data breach at Serviceaide, Inc., a technology vendor for Catholic Health, exposed sensitive information...