CVE-2024-5274: Google Patches Zero-Day Vulnerability Actively Exploited in the Wild

Google issued an emergency security update for its Chrome browser Thursday, urgently addressing a zero-day vulnerability (CVE-2024-5274) that threat actors are actively exploiting. The flaw, a high-severity “type confusion” weakness in Chrome’s V8 JavaScript engine, poses a significant risk to users who haven’t updated their browsers.

The vulnerability was discovered by security researchers Clément Lecigne of Google’s Threat Analysis Group (TAG) and Brendon Tiszka of Chrome Security. TAG is renowned for its focus on protecting Google users from state-sponsored attacks, adding a layer of intrigue to this discovery.

While Google confirmed that CVE-2024-5274 is being actively exploited, they have remained tight-lipped about the specifics of the attacks. This lack of detail leaves users in the dark about the extent of the threat and the potential damage it could cause.

Zero-day vulnerabilities, like CVE-2024-5274, are flaws unknown to software vendors until they are discovered and exploited by malicious actors. These vulnerabilities are particularly dangerous because there’s no patch available when the attacks begin, leaving users highly exposed.

To mitigate the risk, Google strongly urges all Chrome users to update to the latest version: 125.0.6422.112/.113 for Windows and Mac, or 125.0.6422.112 for Linux. The update should be available immediately through the browser’s “About Google Chrome” menu. Chrome also typically auto-updates in the background, but a restart is needed for the patch to take effect.