The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken a significant step by adding a critical Google Chromium V8 vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. This action highlights that the flaw, identified as CVE-2024-4947, is not merely a potential risk but is being actively exploited by threat actors in real-world attacks.
The vulnerability is described as a type confusion issue found within the V8 JavaScript engine, which powers Google Chrome and numerous other web browsers and applications built on the Chromium foundation. Successful exploitation of this flaw can enable an attacker to achieve arbitrary code execution, allowing them to run malicious code on a vulnerable system.
Inclusion in the KEV catalog serves as a urgent warning to all organizations and individuals. CISA mandates that federal civilian executive branch agencies address vulnerabilities listed in the catalog within specific deadlines, typically 15 days, due to the demonstrated risk of active exploitation. While this directive applies specifically to U.S. federal agencies, it underscores the critical need for all users of affected software to prioritize patching.
Users of Google Chrome should ensure they are running the latest version (125.0.6422.60/.61 or later), which includes fixes for this and other security issues. Any applications or browsers utilizing the vulnerable Chromium V8 engine must also be updated promptly to mitigate the risk posed by this actively exploited vulnerability. Immediate patching is the most effective defense against threats leveraging flaws found in the KEV catalog.
Source: https://securityaffairs.com/178678/security/u-s-cisa-google-chromium-v8-flaw-known-exploited-vulnerabilities-catalog.html
