Google patches multiple vulnerabilities after hacking competition Pwn2Own Vancouver 2024

Google patched seven security vulnerabilities in the Chrome web browser after the completion of the Pwn2Own Vancouver 2024 hacking competition. The most severe of those are:

• CVE-2024-2883 (CVSS score 8.8), is a use-after-free (UAF) flaw found in Angle, a key component of Google Chrome that processes WebGL content. WebGL, standing for Web Graphics Library, is a JavaScript API utilized for rendering interactive 2D and 3D graphics within web browsers, eliminating the need for additional plug-ins. This vulnerability could permit remote attackers to compromise user data and system integrity through the execution of code under victim's privileges.
• CVE-2024-2887 (CVSS score 8.8), is a type confusion flaw within the WebAssembly (Wasm) standard. Discovered and demonstrated by security researcher Manfred Paul, this vulnerability was showcased as a part of a sophisticated remote code execution (RCE) exploit. By crafting a specific HTML page, an attacker could leverage this flaw to execute arbitrary code on both the Chrome and Edge browsers, highlighting the cross-browser impact of this exploit.
• CVE-2024-2886 (CVSS score 8.8), is a use-after-free (UAF) issue in the WebCodecs API, which is integral to how web applications process audio and video content. Exploiting this flaw allows attackers to conduct arbitrary reads and writes by manipulating HTML pages, ultimately leading to remote code execution on both Chrome and Microsoft Edge.

Google addressed these vulnerabilities in the Chrome Stable Channel update, releasing version 123.0.6312.86/.87 for Windows and Mac users and version 123.0.6312.86 for Linux. Users are advised to patch their browsers.