Google recently addressed a critical zero-day vulnerability in its Chrome browser, identified as CVE-2024-7965. This high-severity flaw, affecting versions of Chrome prior to 128.0.6613.84, has been actively exploited in the wild, urging users to update their browsers without delay.
CVE-2024-7965 targets the V8 JavaScript engine integral to Chrome. The zero-day vulnerability arises from a problematic implementation that allows attackers to exploit heap corruption via specially crafted HTML pages. With a CVSS score of 8.8, this flaw represents a severe risk, potentially compromising the confidentiality and integrity of affected systems.
Google Addresses Critical Zero-Day Vulnerability (CVE-2024-7965)
The issue was first reported by the security researcher known as “TheDog” on July 30, 2024. Since then, Google has released a patch in Chrome version 128.0.6613.84 for Linux and 128.0.6613.84/.85 for Windows and Mac to address this vulnerability.
This latest update from Google highlights the urgency of applying the patch, especially as CVE-2024-7965 is actively exploited. Google has been vigilant in patching zero-day vulnerabilities, as evidenced by their previous work on CVE-2024-7971, another critical flaw related to a V8 JavaScript engine type confusion.
To exploit CVE-2024-7965, an attacker would need user interaction, such as visiting a compromised webpage, potentially leading to unauthorized access or executing malicious code. For this reason, both organizations and individual users are strongly advised to prioritize updating their browsers to protect against potential data breaches and other security threats.
This vulnerability is part of a broader set of security issues addressed in the most recent Chrome update. In total, the update includes 38 security fixes, with several high-severity vulnerabilities reported by external researchers.
Google Fixes Multiple Critical Vulnerabilities
Google’s swift action to address the critical Chrome zero-day vulnerability CVE-2024-7965 highlights the vital need for users to keep their software up-to-date. To protect against potential cyber threats, users should enable automatic updates or manually check for updates by going to the Chrome menu, selecting “Help,” and then “About Google Chrome” to confirm they are running the latest version.
Throughout 2024, Google has patched several significant zero-day vulnerabilities in Chrome, reflecting ongoing efforts to bolster browser security. CVE-2024-0519, for example, involved an out-of-bounds memory access issue in the V8 JavaScript engine that could have led to arbitrary code execution. This flaw has been addressed with a newer version of Chrome.
Another vulnerability, CVE-2024-2887, was a type confusion issue in the WebAssembly component, which could result in out-of-bounds memory access and arbitrary code execution. As demonstrated at Pwn2Own 2024, it was patched in subsequent updates. Similarly, CVE-2024-2886 involved a use-after-free condition in the WebCodecs component, which could also allow arbitrary code execution. This issue was fixed in newer updates following its highlight at Pwn2Own 2024.
CVE-2024-3159, another out-of-bounds memory access flaw in the V8 JavaScript engine, and CVE-2024-4671, a use-after-free vulnerability in the Visuals component, were patched in recent Chrome updates. Additionally, CVE-2024-4947 and CVE-2024-5274 were type confusion vulnerabilities in the V8 JavaScript and WebAssembly engines, with active exploitation leading to urgent patches.
Lastly, CVE-2024-7971, a type of confusion issue within the V8 JavaScript engine, also required immediate attention. These patches throughout the year emphasize the importance of maintaining up-to-date software.