Google has pushed out an emergency update to its Chrome browser, addressing two zero-day vulnerabilities that could allow attackers to bypass security controls or execute arbitrary code on affected systems.
The update, now at version 146, includes fixes for a memory corruption bug (CVE-2024-5907) and a type confusion flaw (CVE-2024-5908). Both were identified as being actively exploited in the wild before patches were made available. The first issue, a use-after-free vulnerability in the V8 JavaScript engine, could lead to privilege escalation if triggered through a specially crafted web page.
While Google has not disclosed technical details to prevent broader exploitation, security researchers warn that these flaws are particularly dangerous due to their ability to bypass modern sandbox protections. The type confusion bug, found in Chrome’s rendering engine, could allow attackers to gain control over the browser process if exploited.
Users should ensure they are running the latest version of Chrome, as older builds remain vulnerable. The update is being rolled out automatically for most users, but those managing enterprise deployments may need to enforce it manually through policy controls.
The release follows a pattern of rapid response seen in recent months, reflecting Google’s commitment to patching critical flaws within 48 hours when necessary. This approach has become standard practice for high-severity vulnerabilities, though it sometimes leads to minor stability issues that are typically resolved in subsequent builds.
For users concerned about compatibility or performance, the update introduces no major breaking changes, but some extensions may require re-enabling if they were disabled during previous security-related updates. The focus remains on closing these gaps before attackers can weaponize them further.
