Google Patches Chrome Flaw That Earned Hackers $42,500 at Pwn2Own
Google on Tuesday announced a new Chrome update that resolves another zero-day vulnerability demonstrated at the Pwn2Own hacking contest in March.
Tracked as CVE-2024-3159, the high-severity bug is described as an out-of-bounds memory access issue in the V8 JavaScript and WebAssembly engine. The flaw was exploited at Pwn2Own Vancouver 2024 by Edouard Bochin and Tao Yan from Palo Alto Networks, who received a $42,500 bug bounty reward for their finding.
The researchers “used an OOB Read plus a novel technique for defeating V8 hardening to get arbitrary code execution in the renderer,” Trend Micro’s Zero Day Initiative (ZDI) announced on March 22. CVE-2024-3159 is the third Chrome zero-day flaw demonstrated at Pwn2Own to have been resolved, after a Chrome update last week that addressed CVE-2024-2886 and CVE-2024-2887, a use-after-free in WebCodecs and a type confusion bug in WebAssembly, respectively.