What is known about vulnerability
The newly reported vulnerability is tracked as CVE-2024-5274 and is described as a type of confusion issue in the Chrome V8 JavaScript engine. Type confusion is a type of error that can occur in programming languages that use dynamic typing such as JavaScript and can be exploited by changing the type of a given variable in order to trigger unintended behavior.
The Chrome team rates the vulnerability as very serious and credits Clément Lecigne of Google’s Threat Analysis Group and Brendon Tiszka of Chrome Security for reporting it on May 20. The team also notes that they are aware that exploitation of this vulnerability exists in the wild.
Although no technical details have been released about the vulnerability for security reasons to allow users to update, it is possible that this could be some error in code execution. Such bugs would normally be considered critical in most software applications, but the Chrome V8 engine has a memory stack sandbox and other security mechanisms such as JITCage that make exploitation difficult. To be used successfully, attackers would need to combine this vulnerability with others that bypass this mitigation.
Source link