Less than a week after releasing Chrome 128 to the stable channel to address a zero-day vulnerability, Google warns that another bug resolved with the update is being exploited in the wild.
The issue, tracked as CVE-2024-7965 (CVSS score of 8.8), is described as an inappropriate implementation in the V8 JavaScript engine that allows a remote attacker to exploit heap corruption via crafted HTML pages.
Essentially, if the victim visits a compromised or malicious web page, the vulnerability could allow the attacker to execute code or access sensitive information.
Google notes in its updated advisory that the in-the-wild exploitation of the security defect was reported after the browser update was released, but did not make it clear whether the flaw was exploited as a zero-day.
CVE-2024-7965 affects Chrome releases before version 128.0.6613.84, which was released last week with patches for 37 vulnerabilities, including CVE-2024-7971, a type confusion bug in V8 that was exploited as a zero-day.
The US cybersecurity agency CISA added the zero-day to its Known Exploited Vulnerabilities (KEV) catalog on Monday, warning that it could affect web browsers that utilize Chromium, such as Chrome, Edge, and Opera.
CISA says it has evidence of CVE-2024-7971 being exploited in the wild, without providing details on the observed attacks.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warns.
With the flaw added to KEV, federal agencies have until September 16 to identify vulnerable instances in their environments and apply the available patches, as Binding Operational Directive (BOD) 22-01 mandates.
Although BOD 22-01 only applies to federal agencies, all organizations are advised to prioritize applying patches for the vulnerabilities listed in the KEV catalog.
Related: Google Patches Sixth Exploited Chrome Zero-Day of 2024
Related: SolarWinds Axes Hardcoded Credentials With Hotfix for Exploited Web Help Desk Flaw
Related: Selenium Grid Instances Exploited for Cryptomining
Related: Windows Event Log Vulnerabilities Could Be Exploited to Blind Security Products
