Google has recently patched a critical zero-day vulnerability in its Chrome browser, identified as CVE-2024-7965. This high-severity flaw, which affects Chrome versions prior to 128.0.6613.84, has been actively exploited, prompting an urgent need for users to update their browsers.
CVE-2024-7965 is a vulnerability in Chrome's V8 JavaScript engine, resulting from an improper implementation that allows remote attackers to exploit heap corruption via specially crafted HTML pages. This vulnerability has a high risk with a CVSS score of 8.8, highlighting its potential impact on the confidentiality and integrity of affected systems.
Reported by security researcher “TheDog” on July 30, 2024, this vulnerability has been addressed in the latest Chrome version 128.0.6613.84 for Linux and 128.0.6613.84/.85 for Windows and Mac. Google has confirmed the active exploitation of this flaw and stresses the importance of updating to the latest version to mitigate potential threats.
This update follows Google’s earlier announcement that it had fixed another high-severity zero-day vulnerability, CVE-2024-7971, caused by a type confusion issue in the V8 engine. Exploiting CVE-2024-7965 requires user interaction, such as visiting a compromised webpage, which could lead to unauthorized access or execution of malicious code. Both organizations and individual users are urged to prioritize the update to protect against data breaches and loss of sensitive information.
This vulnerability is one of many security issues addressed in the latest Chrome update, which includes 38 security fixes, several of which were reported by external researchers. Google’s quick response to patch this zero-day vulnerability underscores the importance of keeping software up-to-date to defend against cyber threats. Users are advised to enable automatic updates or manually check for updates through the Chrome menu under “Help” and “About Google Chrome” to ensure they are using the latest version.
Key Chrome Zero-days patched in 2024 include:
- CVE-2024-0519: An out-of-bounds memory access issue in the V8 engine, potentially allowing arbitrary code execution.
- CVE-2024-2887: A type confusion vulnerability in the WebAssembly component, leading to potential code execution, demonstrated at Pwn2Own 2024.
- CVE-2024-2886: A use-after-free condition in the WebCodecs component, also demonstrated at Pwn2Own 2024, leading to potential code execution.
- CVE-2024-3159: Another out-of-bounds memory access vulnerability in the V8 engine, fixed after being demonstrated at Pwn2Own 2024.
- CVE-2024-4671: A use-after-free vulnerability in the Visuals component, potentially leading to code execution.
- CVE-2024-4947: A type confusion vulnerability in the V8 and WebAssembly engine, actively exploited in the wild.
- CVE-2024-5274: A type confusion bug in the V8 and WebAssembly engine, leading to out-of-bounds memory access and potential code execution.
- CVE-2024-7971: A type confusion issue in the V8 engine, exploitable for arbitrary code execution.