Google has been forced to patch another zero-day in its Chrome browser, the third exploited flaw in a week.
"Google is aware that an exploit for CVE-2024-4947 exists in the wild," the company said in its usual brief advisory about the flaw.
As usual, it did not provide any details about the flaw, apart from "Type Confusion in V8."
That means the vulnerability is caused by a type confusion weakness in the Chrome V8 Javascript Engine.
{loadposition sam08}According to an explanation at CWE.org, "The product allocates or initialises a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type."
On 11 May, Google issued a fix for a zero-day bug, CVE-2024-4671, that was being exploited. Access to details of a third serious bug, CVE-2024-4948, is blocked.
Google's (and Apple's) reluctance to offer more details about severe bugs is often justified by these companies on the alleged grounds that this could help attackers craft code to take advantage of these flaws.
But that is mostly a spurious argument as attackers are normally far ahead of these companies in knowing the weaknesses of their software and ways to attack it.
In its advisory, Google says: "Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed."