Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Warns of Exploited Chrome Vulnerability

Google flags another high-severity vulnerability patched with the latest Chrome 128 release as exploited in the wild.

Chrome

Less than a week after releasing Chrome 128 to the stable channel to address a zero-day vulnerability, Google warns that another bug resolved with the update is being exploited in the wild.

The issue, tracked as CVE-2024-7965 (CVSS score of 8.8), is described as an inappropriate implementation in the V8 JavaScript engine that allows a remote attacker to exploit heap corruption via crafted HTML pages.

Essentially, if the victim visits a compromised or malicious web page, the vulnerability could allow the attacker to execute code or access sensitive information.

Google notes in its updated advisory that the in-the-wild exploitation of the security defect was reported after the browser update was released, but did not make it clear whether the flaw was exploited as a zero-day.

CVE-2024-7965 affects Chrome releases before version 128.0.6613.84, which was released last week with patches for 37 vulnerabilities, including CVE-2024-7971, a type confusion bug in V8 that was exploited as a zero-day.

The US cybersecurity agency CISA added the zero-day to its Known Exploited Vulnerabilities (KEV) catalog on Monday, warning that it could affect web browsers that utilize Chromium, such as Chrome, Edge, and Opera.

CISA says it has evidence of CVE-2024-7971 being exploited in the wild, without providing details on the observed attacks. 

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warns.

Advertisement. Scroll to continue reading.

With the flaw added to KEV, federal agencies have until September 16 to identify vulnerable instances in their environments and apply the available patches, as Binding Operational Directive (BOD) 22-01 mandates.

Although BOD 22-01 only applies to federal agencies, all organizations are advised to prioritize applying patches for the vulnerabilities listed in the KEV catalog.

Related: Google Patches Sixth Exploited Chrome Zero-Day of 2024

Related: SolarWinds Axes Hardcoded Credentials With Hotfix for Exploited Web Help Desk Flaw

Related: Selenium Grid Instances Exploited for Cryptomining

Related: Windows Event Log Vulnerabilities Could Be Exploited to Blind Security Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jill Popelka has been appointed CEO at Darktrace, after serving as COO for three months.

GitHub has appointed Alexis Wales as its new Chief Information Security Officer.

Cybersecurity and intelligence solutions provider Nightwing has appointed Christopher Jones as CTO and CDO.

More People On The Move

Expert Insights