Google has revealed that a security flaw that was patched as part of a security update rolled out last week to its Chrome browser has come under active exploitation in the wild.
Tracked as CVE-2024-7965, the vulnerability has been described as an inappropriate implementation bug in the V8 JavaScript and WebAssembly engine.
“Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” according to a description of the bug in the NIST National Vulnerability Database (NVD).
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
A security researcher who goes by the online pseudonym TheDog has been credited with discovering and reporting the flaw on July 30, 2024, earning them a bug bounty of $11,000.
Additional specifics about the nature of the attacks exploiting the flaw or the identity of the threat actors that may be utilizing it have not been released. The tech giant, however, acknowledged that it’s aware of the existence of an exploit for CVE-2024-7965.
It also said, “in the wild exploitation of CVE-2024-7965 […] was reported after this release.” That said, it’s currently not clear if the flaw was weaponized as a zero-day prior to its disclosure last week.
The Hacker News has reached out to Google for further information about the flaw, and we will update the story if we hear back.
Google has so far addressed nine zero-days in Chrome since the start of 2024, including three that were demonstrated at Pwn2Own 2024 –
- CVE-2024-0519 – Out-of-bounds memory access in V8
- CVE-2024-2886 – Use-after-free in WebCodecs (demonstrated at Pwn2Own 2024)
- CVE-2024-2887 – Type confusion in WebAssembly (demonstrated at Pwn2Own 2024)
- CVE-2024-3159 – Out-of-bounds memory access in V8 (demonstrated at Pwn2Own 2024)
- CVE-2024-4671 – Use-after-free in Visuals
- CVE-2024-4761 – Out-of-bounds write in V8
- CVE-2024-4947 – Type confusion in V8
- CVE-2024-5274 – Type confusion in V8
- CVE-2024-7971 – Type confusion in V8
Users are highly recommended to upgrade to Chrome version 128.0.6613.84/.85 for Windows and macOS, and version 128.0.6613.84 for Linux to mitigate potential threats.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com