PoC Exploit Published for Chrome 0-day CVE-2024-4947 Vulnerability

A proof-of-concept (PoC) exploit code for a recently patched zero-day CVE-2024-4947 vulnerability in Google Chrome has surfaced, making it crucial for users to immediately update their browsers to the latest versions.

Last week, Google issued an urgent security update for its Chrome browser to patch a critical zero-day vulnerability actively exploited in the wild. The high-severity flaw stems from a type confusion weakness in Chrome’s V8 JavaScript engine and was discovered by Kaspersky researchers Vasily Berdnikov and Boris Larin.

Google confirmed the existence of an exploit for CVE-2024-4947 in an advisory, highlighting the serious nature of this vulnerability. Type confusion flaws typically allow threat actors to read or write memory out of buffer bounds, leading to browser crashes or, more alarmingly, enabling arbitrary code execution on targeted devices. The vulnerability’s active exploitation in targeted attacks underscores the urgency of this security update.

Security researchers @buptsb and @mistymntncop conducted a detailed technical analysis and released a proof-of-concept (PoC) for CVE-2024-4947. According to their findings, the root cause of the flaw lies in V8’s incorrect AccessInfo for module namespace objects, resulting in Maglev type confusion. This error facilitates out-of-bound read and write operations within the sandboxed environment, posing a significant security risk.

In response to this critical threat, Google swiftly released Chrome versions 125.0.6422.60/.61 for Mac and Windows, and 125.0.6422.60 for Linux. These updates are being rolled out to all users in the Stable Desktop channel over the coming weeks. Chrome users are urged to ensure their browsers are updated to the latest version to mitigate the risk posed by this vulnerability.