Google has swiftly addressed yet another zero-day vulnerability discovered in its Chrome browser, a flaw that was exploited during the Pwn2Own hacking contest. Tracked as CVE-2024-3159, this high-severity vulnerability stems from an out-of-bounds read weakness in the Chrome V8 JavaScript engine, posing a significant security risk. Remote attackers could exploit this flaw via crafted HTML pages to access data beyond the memory buffer, potentially leading to sensitive information exposure or system crashes.
During the Pwn2Own Vancouver 2024 contest, Palo Alto Networks researchers demonstrated the zero-day exploit, showcasing its severity by executing arbitrary code on Google Chrome and Microsoft Edge browsers. This exploit, termed the “double-tap,” earned the researchers a substantial $42,500 award. Google has promptly rolled out fixes for the zero-day in the stable channel versions of Chrome, ensuring worldwide protection against potential exploits.
This incident marks the latest in a series of Chrome zero-days patched by Google this year, highlighting the ongoing efforts to bolster the browser’s security. In addition to addressing vulnerabilities exploited at Pwn2Own, Google has also resolved other zero-days, including CVE-2024-0519, actively exploited in January. The rapid response from Google underscores the critical importance of addressing zero-day vulnerabilities promptly to safeguard users’ data and privacy.
