CVE-2024-7965 vulnerability in Chrome’s V8 engine leads to urgent browser update amid ongoing attacks
Google has revealed that a critical security flaw in its Chrome browser, identified as CVE-2024-7965, has been actively exploited in the wild, leading to an urgent call for users to update their software. The vulnerability, which affects the V8 JavaScript and WebAssembly engine, was patched last week as part of a broader software update.
CVE-2024-7965 is described as an inappropriate implementation bug that could allow a remote attacker to exploit heap corruption via a crafted HTML page. The flaw was initially discovered and reported by a security researcher known as TheDog on 30 July 2024. For their discovery, TheDog received a bug bounty of USD 11,000.
The vulnerability impacts versions of Chrome prior to 128.0.6613.84 on all major platforms, including Windows, macOS, and Linux. Users are strongly recommended to upgrade to Chrome version 128.0.6613.84/.85 for Windows and macOS, and version 128.0.6613.84 for Linux, to mitigate potential security risks.
Google acknowledged that it is aware of the existence of an exploit for CVE-2024-7965 and confirmed that the exploitation in the wild was reported after the patch’s release. However, the company has not released specific details about the nature of the attacks or the threat actors involved, leaving the full scope of the vulnerability’s impact unclear.
This incident marks the ninth zero-day vulnerability that Google has addressed in Chrome since the start of 2024, highlighting the persistent security challenges the browser faces. Other notable vulnerabilities patched this year include CVE-2024-0519, CVE-2024-2886, and CVE-2024-2887, all of which were demonstrated at Pwn2Own 2024.
Given the critical nature of the flaw, users are advised to ensure their Chrome browsers are updated to the latest version immediately to avoid potential exploitation. The update is available for download via the official Chrome website and through the browser’s automatic update feature.
