Five Chrome Zero-Days in Two Weeks: The Most Aggressive Browser Attack Wave of 2024

Five Chrome Zero-Days in Two Weeks: The Most Aggressive Browser Attack Wave of 2024

Five zero-day vulnerabilities. Two weeks. All actively exploited in the wild. That's the situation Google Chrome users woke up to at the end of May 2024. If you're reading this on a Chromium-based browser, and statistically you almost certainly are, this directly affects you.

Google confirmed and patched five separate zero-day vulnerabilities in Chrome over the course of May 2024. Each one serious enough to warrant an out-of-band emergency patch. Not a scheduled Patch Tuesday. Not a routine update. Emergency fixes, pushed outside the normal release cycle, because attackers were already using these flaws against real targets.

Forbes senior contributor Davey Winder called the fifth zero-day (CVE-2024-5274) confirmation within a two-week window an "unusual frequency" of high-severity patches with no recent precedent in Chrome's history. I'd go further. This isn't a blip. It's a pattern, and it points to something much bigger than individual bugs.

The Five Vulnerabilities: What Got Exploited

Here's what actually happened. The five zero-days patched in May 2024:

• CVE-2024-4671 — Use-after-free in Chrome's Visuals component. Attackers reference memory that's already been freed, potentially executing arbitrary code.
• CVE-2024-4761 — Out-of-bounds write in V8, Chrome's JavaScript engine. V8 is the beating heart of Chrome's performance. A flaw here is about as dangerous as it gets.
• CVE-2024-4947 — Type confusion in V8. Reported by Kaspersky researchers, which matters because Kaspersky's threat intelligence team primarily tracks state-sponsored campaigns.
• CVE-2024-4559 — Another vulnerability that contributed to the unprecedented May patch cadence.
• CVE-2024-5274 — The fifth and most recent. Another type confusion in V8, reported by Google's own Threat Analysis Group alongside external researchers.

Two of these five target V8's type system directly. That's not a coincidence. Type confusion vulnerabilities in JavaScript engines are among the most prized exploits in offensive security. They can bypass sandboxing, achieve remote code execution, and chain together for full system compromise.

Ravie Lakshmanan at The Hacker News pointed out that CVE-2024-5274 shares a similar attack surface with CVE-2024-4947. When the same engine component gets hit multiple times in rapid succession, it tells you the attackers have deep knowledge of V8's internals and are burning through a stockpile of exploits.

I've spent over 14 years building and securing web-facing applications. V8 vulnerabilities are in a class of their own. Every single user interaction in Chrome runs through V8. Every ad, every embedded widget, every third-party script. A V8 zero-day doesn't require the user to download anything. Just visiting a page is enough.

The Patch Schedule Tells the Real Story

Most coverage misses the significance of how these patches shipped.

Chrome has a regular update cycle. Stable channel updates roll out roughly every two to three weeks, with security fixes bundled in. When Google breaks that cycle for an emergency patch, it means one thing: the vulnerability is being actively exploited and waiting for the next scheduled update is unacceptable risk.

Five out-of-band patches in two weeks is extraordinary. BleepingComputer's Sergiu Gatlan reported that these five brought Chrome's total zero-days exploited in 2024 to eight by the end of May. For context, the full year of 2023 saw eight Chrome zero-days exploited in the wild total, according to Google's own tracking. We matched an entire year's count in five months.

I've seen security incident patterns like this in production environments I've worked in. When you see a cluster of related vulnerabilities disclosed in rapid succession, it usually means one of two things. Either a single sophisticated group had multiple exploits and they're being burned faster than expected. Or multiple groups independently found weaknesses in the same component. Both scenarios are bad.

Google's official language in each advisory was careful but revealing: "Google is aware that an exploit for [CVE] exists in the wild." As TechCrunch's Carly Page emphasized, that phrasing confirms active exploitation. It's not theoretical. Someone is using this against real people right now.

Follow the Exploit Economics

Google and its partners haven't disclosed specific targets for most of these vulnerabilities. That silence is itself informative.

When Google's Threat Analysis Group discovers one of these (CVE-2024-5274) and Kaspersky flags another (CVE-2024-4947), the attacker profile becomes pretty clear. Both organizations specialize in tracking advanced persistent threats. The kind of groups that operate on behalf of nation-states.

Chrome zero-days aren't cheap. Zerodium's publicly listed pricing (widely considered to understate real market rates) puts a Chrome full-chain exploit for Windows at $500,000. Crowdfense has offered significantly more. The actual black-market price for a reliable Chrome zero-day chain is almost certainly north of $1 million.

Nobody spends that kind of money to serve you pop-up ads. These exploits are used for targeted surveillance. Journalists, dissidents, government officials, defense contractors. People who would never expect that simply opening a webpage could compromise their entire machine.

And here's the thing nobody's saying about this: the blast radius extends far beyond Chrome's reported 3.5 billion users. Chrome's V8 engine powers every Chromium-based browser. Edge, Brave, Opera, Vivaldi, Arc. Chromium-based browsers collectively serve closer to 4 billion users worldwide. A V8 zero-day isn't just a Chrome problem. It's a web platform problem that touches nearly every browser on the market except Firefox and Safari.

What You Should Do Right Now

This is the boring part, and it's the most important part.

Update Chrome immediately. Go to chrome://settings/help and let it check for updates. You want version 125.0.6422.112 or later (Windows/Mac/Linux). If you're not on that version, you're exposed to at least one of these five zero-days.

But updating isn't enough if you don't understand the structural issue. Chrome's auto-update mechanism is good, but it requires a browser restart to take effect. I've watched engineers who should absolutely know better run Chrome for weeks without restarting because they have 47 tabs they don't want to lose. Your stale browser session is a liability.

Running any Chromium-based browser? Check its update status too. Edge, Brave, and others pull in Chromium security patches on their own schedules, and the lag can be meaningful when zero-days are actively exploited.

For engineering teams and orgs: this is a reminder that browser patch management matters. I've worked in environments where we obsessed over server patch cycles but treated browser versions as an afterthought. That's backwards. The browser is the single most exposed piece of software on any employee's machine. If your org doesn't have visibility into browser versions across your fleet, that's a security gap you need to close yesterday.

Browsers Are the New Perimeter

Step back from the specific CVEs and the picture gets clearer. Browsers have become the primary attack surface for sophisticated adversaries. Not email attachments. Not USB drives. The browser.

This makes sense from the attacker's perspective. The browser is a universal target. It's always connected. It processes untrusted content by design. And despite years of sandboxing improvements, a V8 type confusion bug can still be the first link in a chain that ends with full system compromise.

Google, to their credit, has invested heavily in Chrome security. Site isolation, V8 sandbox hardening, MiraclePtr for use-after-free mitigation. These are real defenses. But the May 2024 zero-day cluster shows that motivated attackers with deep resources can still find and exploit gaps faster than defenders can close them.

Microsoft faced a similar pattern with its own zero-days. This isn't a Google-specific problem. It's a structural challenge of building software that must execute arbitrary, untrusted code from the internet at near-native speed.

Five zero-days in two weeks isn't an anomaly. It's a preview of what browser security looks like when the exploit market is flush with cash and the targets are valuable enough.

With eight Chrome zero-days exploited in the wild by end of May, 2024 was on pace for double-digit Chrome zero-days for the full year. That turned out to be a conservative prediction. The exploit economy is growing, the value of browser zero-days is climbing, and V8's attack surface remains enormous.

The browser you trust to run your applications is the same browser that nation-state hackers are spending millions to break. Update it today. Then ask yourself whether your organization treats browser security with the seriousness it deserves. Because the people finding these zero-days certainly do.

Photo by Rahul Viswanath on Unsplash.