Google has swiftly responded to critical vulnerabilities in Chrome with the release of Chrome 125, addressing nine vulnerabilities, four of which were reported by external researchers. Among these, CVE-2024-4947, a high-severity type confusion flaw in the V8 JavaScript engine, stands out as it has already been exploited in the wild. This flaw could enable remote attackers to execute arbitrary code within a sandbox via a crafted HTML page, posing significant security risks.
Acknowledging the contributions of external researchers, Google has credited Vasily Berdnikov and Boris Larin of Kaspersky for reporting CVE-2024-4947, although details regarding the observed exploitation and associated bug bounty remain undisclosed. Additionally, another externally reported vulnerability, CVE-2024-4948, a high-severity use-after-free issue in the Dawn open-source implementation of the WebGPU standard in Chromium, has been addressed. Chrome 125 also resolves a medium-severity use-after-free bug in the V8 engine and a low-severity inappropriate implementation in Downloads.
Chrome 125 is being rolled out across various platforms, including Linux, Windows, and macOS, urging users to update promptly due to the severity and frequency of zero-day exploits addressed. This release follows Google’s recent efforts to address multiple zero-day vulnerabilities in Chrome, with CVE-2024-4947 marking the latest in a series of critical security risks mitigated by the Chrome development team. With these patches, Google aims to bolster the security of Chrome and safeguard users against potential cyber threats.
