Google on Wednesday announced the release of Chrome 128 to the stable channel with patches for 38 vulnerabilities, including 20 reported by external researchers.
Of the externally reported flaws, seven are high-severity bugs, and one of them has been exploited in the wild as a zero-day.
Tracked as CVE-2024-7971 and discovered and reported by Microsoft, the exploited security defect is described as a type confusion in the V8 JavaScript engine.
While Google does not provide specific details on the issue, type confusion vulnerabilities are memory safety flaws that could result in crashes, unexpected behavior, and remote code execution.
“Google is aware that an exploit for CVE-2024-7971 exists in the wild,” the internet giant notes in its advisory, without sharing information on the observed exploitation either.
Chrome 128 resolves five other high-severity memory safety bugs, including a use-after-free in Passwords, an out-of-bounds memory access in Skia, a heap buffer overflow in Fonts, a use-after-free in Autofill, and a type confusion in V8.
A third high-severity vulnerability in V8, namely an inappropriate implementation, was also addressed with the latest Chrome release.
The browser update also fixes nine medium-severity flaws, including multiple inappropriate implementation issues and insufficient data validation bugs, and four low-severity inappropriate implementation defects.
The internet giant says it handed out $95,000 in bug bounty rewards to the reporting researchers, with the highest payout – of $36,000 – going to an anonymous researcher who found the use-after-free bug in Passwords (CVE-2024-7964).
Google has yet to determine the amounts to be paid out for several vulnerabilities, so the final amount could be much higher.
The latest Chrome iteration is now rolling out as version 128.0.6613.84 for Linux and as versions 128.0.6613.84/.85 for macOS and Windows. Users are advised to update their browsers as soon as possible.
CVE-2024-7971 is the sixth Chrome zero-day exploited in attacks that Google has resolved this year. Four other zero-day vulnerabilities were patched after being demonstrated at hacking competitions.
Related: Chrome, Firefox Updates Patch Serious Vulnerabilities
Related: Google Patches Fourth Chrome Zero-Day in Two Weeks
Related: Telegram Zero-Day Enabled Malware Delivery
Related: Microsoft Shares Details on Critical ChromeOS Vulnerability