Google has released Chrome 124, addressing four vulnerabilities, including a critical security flaw identified as CVE-2024-4058, involving a type confusion bug in the ANGLE graphics layer engine. This critical vulnerability could potentially allow remote attackers to execute arbitrary code or escape sandboxes with limited user interaction. Notably, only a few Chrome vulnerabilities have received a ‘critical’ severity rating in recent years. Google has credited two members of Qrious Secure for discovering CVE-2024-4058, awarding them a $16,000 bounty. Qrious Secure, a group of experienced hackers, has previously reported other Chrome vulnerabilities to Google, including CVE-2024-0517 and CVE-2024-0223, both of which were patched earlier this year. While there’s no evidence of CVE-2024-4058 being exploited in the wild, type confusion bugs in Chrome are sometimes targeted by threat actors, although they typically affect the V8 JavaScript engine. Additionally, the Chrome 124 update addresses two high-severity vulnerabilities: CVE-2024-4059, an out-of-bounds read in the V8 API, and CVE-2024-4060, a use-after-free in the Dawn component.

Read more: https://www.securityweek.com/google-patches-critical-chrome-vulnerability/