Google has fixed another Chrome vulnerability that was exploited at Pwn2Own.

In March, Google fixed another zero-day vulnerability in the Chrome browser that was exploited during the Pwn competition.₂Google has fixed another zero-day vulnerability in the Chrome browser, tracked as CVE-2024-3159, which was exploited during the Pwn competition.₂Own in March 2024.

The vulnerability CVE-2024-3159 is a memory access issue in the V8 JavaScript engine. This vulnerability was demonstrated by Eduard Boshin (@le_douds) and Tao Yan (@Ga1ois) from Palo Alto Networks during the Pwn competition.₂On March 22, 2024, this team earned $42,500 and 9 Master of Pwn points for their attack on Google Chrome and Microsoft Edge.

A remote attacker can exploit this vulnerability by tricking the victim into visiting a specially crafted HTML page, allowing access to data outside the memory buffer, which causes a heap corruption. Exploitation may lead to the disclosure of confidential information or a crash.

At the end of March, Google also fixed several vulnerabilities in the Chrome web browser, including two zero-day vulnerabilities tracked as CVE-2024-2886 and CVE-2024-2887, which were demonstrated during the Pwn competition.₂Own Vancouver 2024.

A high-severity vulnerability tracked as CVE-2024-2886 is an issue related to use-after-free in WebCodecs. This vulnerability was demonstrated by Sun Hyun Lee (@0x10n) from KAIST Hacking Lab during Pwn.₂Own 2024.

The CVE-2024-2887 vulnerability, which has a high level of severity, is a type confusion issue found in WebAssembly.

In January, Google fixed the first zero-day vulnerability in Chrome for this year, which was actively exploited by attackers. The high-severity vulnerability, tracked as CVE-2024-0519, involves improper memory access in the Chrome JavaScript engine. This vulnerability was discovered by Anonymous on January 11, 2024.

Stay in touch with me on Twitter: @securityaffairs, Facebook, and Mastodon Pierluigi Paganini (SecurityAffairs - hacking, Google).