Vulnerabilities

Google Patches Sixth Exploited Chrome Zero-Day of 2024

Chrome 128 was released in the stable channel with patches for 38 vulnerabilities, including a V8 JavaScript engine flaw exploited in the wild.

Chrome security

Google on Wednesday announced the release of Chrome 128 to the stable channel with patches for 38 vulnerabilities, including 20 reported by external researchers.

Of the externally reported flaws, seven are high-severity bugs, and one of them has been exploited in the wild as a zero-day.

Tracked as CVE-2024-7971 and discovered and reported by Microsoft, the exploited security defect is described as a type confusion in the V8 JavaScript engine.

While Google does not provide specific details on the issue, type confusion vulnerabilities are memory safety flaws that could result in crashes, unexpected behavior, and remote code execution.

“Google is aware that an exploit for CVE-2024-7971 exists in the wild,” the internet giant notes in its advisory, without sharing information on the observed exploitation either.

Chrome 128 resolves five other high-severity memory safety bugs, including a use-after-free in Passwords, an out-of-bounds memory access in Skia, a heap buffer overflow in Fonts, a use-after-free in Autofill, and a type confusion in V8.

Advertisement. Scroll to continue reading.

A third high-severity vulnerability in V8, namely an inappropriate implementation, was also addressed with the latest Chrome release.

The browser update also fixes nine medium-severity flaws, including multiple inappropriate implementation issues and insufficient data validation bugs, and four low-severity inappropriate implementation defects.

The internet giant says it handed out $95,000 in bug bounty rewards to the reporting researchers, with the highest payout – of $36,000 – going to an anonymous researcher who found the use-after-free bug in Passwords (CVE-2024-7964).

Google has yet to determine the amounts to be paid out for several vulnerabilities, so the final amount could be much higher.

The latest Chrome iteration is now rolling out as version 128.0.6613.84 for Linux and as versions 128.0.6613.84/.85 for macOS and Windows. Users are advised to update their browsers as soon as possible.

CVE-2024-7971 is the sixth Chrome zero-day exploited in attacks that Google has resolved this year. Four other zero-day vulnerabilities were patched after being demonstrated at hacking competitions.

Related: Chrome, Firefox Updates Patch Serious Vulnerabilities

Related: Google Patches Fourth Chrome Zero-Day in Two Weeks

Related: Telegram Zero-Day Enabled Malware Delivery

Related: Microsoft Shares Details on Critical ChromeOS Vulnerability

Related Content

Vulnerabilities

Fifteen of the newly patched flaws have been rated ‘critical’ and 67 have been rated ‘high severity’.

Ransomware

The Microsoft Defender vulnerability CVE-2026-33825 was exploited in the wild as a zero-day before patches were released.

Vulnerabilities

The critical-severity defect allows unauthenticated attackers to take over the E-Business Suite’s Payments product.

Malware & Threats

The threat actor is focused on collecting credentials, SSH keys, cryptocurrency wallets, and development tooling.

ICS/OT

CISA has added the remote code execution flaw CVE-2026-12569 to its Known Exploited Vulnerabilities catalog.

ICS/OT

The exploited flaw, CVE-2025-67038, is one of the vulnerabilities disclosed in April as part of the BRIDGE:BREAK research project.

Vulnerabilities

More than half of the bugs are use-after-free defects, which can potentially lead to remote code execution.

Vulnerabilities

CVE-2026-20245, the 7th Cisco SD-WAN vulnerability exploited in 2026, was used for months prior to its disclosure and patching.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version