Saturday, May 3, 2025
HomeChrome2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Published on

SIEM as a Service

Follow Us on Google News

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including two zero-day exploits showcased at the prestigious Pwn2Own 2024 hacking competition.

The update, which affects Chrome users on Windows, Mac, and Linux, elevates the browser version to 123.0.6312.86/.87 for Windows and Mac, and 123.0.6312.86 for Linux, with the rollout expected to reach users progressively over the coming days and weeks.

Security Fixes and Rewards

Google’s latest security update includes fixes for seven vulnerabilities, with a special emphasis on those discovered by external researchers.

- Advertisement - Google News

The tech giant has a longstanding tradition of rewarding these contributors for identifying and reporting bugs.

This practice enhances Chrome’s security and fosters a collaborative relationship between the company and the cybersecurity community.

Critical CVE-2024-2883: Use After Free in ANGLE

One of the most critical issues addressed in this update is CVE-2024-2883, a use-after-free vulnerability in ANGLE, a cross-platform graphics engine abstraction layer used by Chrome to improve graphics performance on various platforms.

This vulnerability was reported by Cassidy Kim (@cassidy6564) on March 3, 2024, and has been rewarded with a $10,000 bounty. Use-after-free vulnerabilities can lead to arbitrary code execution, making them particularly dangerous.

High CVE-2024-2885: Use After Free in Dawn

Another significant vulnerability patched in this release is CVE-2024-2885, a high-severity use-after-free issue in Dawn, an open-source and cross-platform implementation of the WebGPU standard.

This bug was reported by an entity known as Fuzz on March 11, 2024.

The severity of this vulnerability underscores the importance of timely updates to mitigate potential risks.

High CVE-2024-2886 and CVE-2024-2887: Exploits Unveiled at Pwn2Own 2024

However, the spotlight shines on two high-severity vulnerabilities, CVE-2024-2886 and CVE-2024-2887, unveiled during the Pwn2Own 2024 competition.

CVE-2024-2886, reported by Seunghyun Lee (@0x10n) of KAIST Hacking Lab, is a use-after-free vulnerability in WebCodecs, a component critical for efficient media content encoding and decoding.

CVE-2024-2887, reported by Manfred Paul, involves type confusion in WebAssembly, a binary instruction format for a stack-based virtual machine that enables high-performance applications on the web.

These discoveries at Pwn2Own highlight the event’s role in identifying and mitigating potential threats before they can be exploited maliciously.

Ongoing Security Efforts

Google also acknowledges the contributions of its internal security team, whose ongoing efforts have led to various fixes identified through internal audits, fuzzing, and other initiatives.

The company’s use of tools like AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL is crucial in detecting and addressing security bugs.

Chrome users are urged to update their browsers immediately to protect against these vulnerabilities.

For those interested in switching release channels or reporting new issues, Google provides resources and a community help forum for assistance and learning about common issues.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Hundreds of Fortune 500 Companies Have Unknowingly Employed North Korean IT Operatives

North Korean nationals have successfully infiltrated the employee ranks of major global corporations at...

Stealthy New NodeJS Backdoor Infects Users Through CAPTCHA Verifications

Security researchers have uncovered a sophisticated malware campaign utilizing fake CAPTCHA verification screens to...

State-Sponsored Hacktivism on the Rise, Transforming the Cyber Threat Landscape

Global cybersecurity landscape is undergoing a significant transformation, as state-sponsored hacktivism gains traction amid...

NVIDIA Riva AI Speech Flaw Let Hackers Gain Unauthorized Access to Abuse GPU Resources & API keys

Researchers have uncovered significant security vulnerabilities in NVIDIA Riva, a breakthrough AI speech technology...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hundreds of Fortune 500 Companies Have Unknowingly Employed North Korean IT Operatives

North Korean nationals have successfully infiltrated the employee ranks of major global corporations at...

State-Sponsored Hacktivism on the Rise, Transforming the Cyber Threat Landscape

Global cybersecurity landscape is undergoing a significant transformation, as state-sponsored hacktivism gains traction amid...

Stealthy New NodeJS Backdoor Infects Users Through CAPTCHA Verifications

Security researchers have uncovered a sophisticated malware campaign utilizing fake CAPTCHA verification screens to...