Chrome Zero-Day: Exploit Code Released for CVE-2024-5274

Experts have published the exploit code and a detailed analysis of a zero-day vulnerability in Google Chrome. The Proof-of-Concept (PoC) exploit pertains to a type confusion bug identified as CVE-2024-5274 (CVSS score: 8.8) in the V8 engine, which handles JavaScript processing within the browser. The issue arises when the program incorrectly interprets one data type as another, potentially leading to crashes, data corruption, and even arbitrary code execution.

Google initially released a patch for the vulnerability in May 2024, but technical details were withheld to prevent threat actors from exploiting the flaw. This situation changed when researchers @mistymntncop and @buptsb published the exploit code on GitHub.

The release of PoC code has both advantages and drawbacks. On the one hand, it is invaluable for cybersecurity professionals, who can study the vulnerability and devise more robust protective measures. On the other hand, the code could be leveraged by hackers to develop real-world exploits and launch attacks.

This vulnerability has already been exploited in attacks targeting government websites in Mongolia, affecting both iOS and Android users visiting compromised sites. The attacks were part of a broader campaign that also utilized another critical Chrome vulnerability — CVE-2024-4671. In both campaigns, the attackers employed exploits similar to those used by commercial spyware companies Intellexa and NSO Group.

Google has already released an update for Chrome — version 125.0.6422.112/.113 for Windows and Mac, and version 125.0.6422.112 for Linux. Users are strongly urged to update their browsers immediately to safeguard against potential attacks.