Google Fixes Chrome Zero Days Exploited At Pwn2own 2024

Google Chrome

Google fixed seven security vulnerabilities in the Chrome web browser on Tuesday, including two zero-days exploited during the Pwn2Own Vancouver 2024 hacking competition.

The first (tracked as CVE-2024-2887) is a high-severity type confusion weakness in the WebAssembly (Wasm) open standard. Manfred Paul demoed this vulnerability on the first day of Pwn2Own as part of a double-tap remote code execution (RCE) exploit using a crafted HTML page and targeting both Chrome and Edge.

The second zero-day is tracked as CVE-2024-2886 and was exploited by KAIST Hacking Lab’s Seunghyun Lee during the second day of the CanSecWest Pwn2Own contest.

Described as a use-after-free (UAF) weakness in the WebCodecs API used by web apps to encode and decode audio and video content, it allows remote attackers to perform arbitrary reads/writes via crafted HTML pages.

Lee also used CVE-2024-2886 to gain remote code execution using a single exploit targeting both Google Chrome and Microsoft Edge.

Google fixed the two zero-days in the Google Chrome stable channel, version 123.0.6312.86/.87 for Windows and Mac and 123.0.6312.86 for Linux users, which will roll out worldwide over the coming days.

Chrome zero-days demoed at Pwn2Own

Mozilla also fixed two Firefox zero-days exploited by Manfred Paul at Pwn2Own Vancouver 2024 on the same day the bugs were demoed.

While it only took Mozille one day and Google five days to patch these vulnerabilities, vendors usually take their time to release patches for security flaws demoed at Pwn2Own since they have 90 days to push fixes until Trend Micro’s Zero Day Initiative publicly discloses bug details.

In January, Google also patched an actively exploited zero-day in Chrome (CVE-2024-0519) that allowed attackers to access sensitive information or crash unpatched browsers due to an out-of-bounds memory access weakness in the Chrome V8 JavaScript engine.

The Pwn2Own 2024 Vancouver competition concluded on March 22, with security researchers earning $1,132,500 for demonstrating 29 zero-day exploits and exploit chains over two days.

Manfred Paul emerged as this year’s winner with $202,500 in cash prizes after taking down the Apple Safari, Google Chrome, and Microsoft Edge web browsers.


Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

To keep up to date follow us on the below channels.