Google has revealed that a security flaw that was patched as part of a software update rolled out last week to its Chrome browser has come under active exploitation in the wild.
Tracked as CVE-2024-7965, the vulnerability has been described as an inappropriate implementation bug in the V8 JavaScript and WebAssembly engine.
"Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page," according to a description of the bug in the NIST National Vulnerability Database (NVD).
A security researcher who goes by the online pseudonym TheDog has been credited with discovering and reporting the flaw on July 30, 2024, earning them a bug bounty of $11,000.
Additional specifics about the nature of the attacks exploiting the flaw or the identity of the threat actors that may be utilizing it have not been released. The tech giant, however, acknowledged that it's aware of the existence of an exploit for CVE-2024-7965.
It also said, "in the wild exploitation of CVE-2024-7965 [...] was reported after this release." That said, it's currently not clear if the flaw was weaponized as a zero-day prior to its disclosure last week.
The Hacker News has reached out to Google for further information about the flaw, and we will update the story if we hear back.
Google has so far addressed nine zero-days in Chrome since the start of 2024, including three that were demonstrated at Pwn2Own 2024 -
CVE-2024-0519 - Out-of-bounds memory access in V8 CVE-2024-2886 - Use-after-free in WebCodecs (demonstrated at Pwn2Own 2024) CVE-2024-2887 - Type confusion in WebAssembly (demonstrated at Pwn2Own 2024) CVE-2024-3159 - Out-of-bounds memory access in V8 (demonstrated at Pwn2Own 2024) CVE-2024-4671 - Use-after-free in Visuals CVE-2024-4761 - Out-of-bounds write in V8 CVE-2024-4947 - Type confusion in V8 CVE-2024-5274 - Type confusion in V8 CVE-2024-7971 - Type confusion in V8Users are highly recommended to upgrade to Chrome version 128.0.6613.84/.85 for Windows and macOS, and version 128.0.6613.84 for Linux to mitigate potential threats.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.