Google has disclosed that a security flaw patched in a recent software update for its Chrome browser has been actively exploited in the wild. The vulnerability, identified as CVE-2024-7965, is linked to an inappropriate implementation issue in the V8 JavaScript and WebAssembly engine.
According to the NIST National Vulnerability Database (NVD), the flaw allowed a remote attacker to potentially exploit heap corruption through a crafted HTML page in versions of Google Chrome prior to 128.0.6613.84. The security researcher known by the pseudonym TheDog discovered and reported the vulnerability on July 30, 2024, earning a bug bounty of $11,000.
While Google has not disclosed specific details about the nature of the attacks or the identity of the threat actors exploiting this flaw, it acknowledged awareness of an exploit for CVE-2024-7965. “In the wild exploitation of CVE-2024-7965 […] was reported after this release,” Google stated. It remains unclear whether the vulnerability was weaponized as a zero-day prior to its public disclosure.
The Hacker News has reached out to Google for further information, and any updates will be provided as they become available.
This is one of several zero-day vulnerabilities that Google has addressed in Chrome since the beginning of 2024, including three demonstrated at Pwn2Own 2024. These vulnerabilities include:
- CVE-2024-0519: Out-of-bounds memory access in V8
- CVE-2024-2886: Use-after-free in WebCodecs (Pwn2Own 2024)
- CVE-2024-2887: Type confusion in WebAssembly (Pwn2Own 2024)
- CVE-2024-3159: Out-of-bounds memory access in V8 (Pwn2Own 2024)
- CVE-2024-4671: Use-after-free in Visuals
- CVE-2024-4761: Out-of-bounds write in V8
- CVE-2024-4947: Type confusion in V8
- CVE-2024-5274: Type confusion in V8
- CVE-2024-7971: Type confusion in V8
Users are strongly advised to upgrade to Chrome version 128.0.6613.84/.85 for Windows and macOS, and version 128.0.6613.84 for Linux to safeguard against potential threats.
