Google recently disclosed that a security flaw patched in a Chrome browser update last week is being actively exploited. The vulnerability, identified as CVE-2024-7965, is classified as an inappropriate implementation bug in the V8 JavaScript and WebAssembly engine.
According to the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), the flaw, found in Google Chrome versions prior to 128.0.6613.84, could allow a remote attacker to exploit heap corruption via a specially crafted HTML page.
The vulnerability was discovered by a security researcher known by the pseudonym “TheDog,” who reported it on July 30, 2024, and received an $11,000 bug bounty for the discovery. While details about the attacks leveraging this flaw or the identity of the attackers are currently unknown, Google has acknowledged being aware of an exploit for CVE-2024-7965 in the wild.
Google noted that “in the wild exploitation of CVE-2024-7965 […] was reported after this release,” though it remains unclear if the flaw was used as a zero-day before its disclosure last week.
Since the beginning of 2024, Google has addressed nine zero-day vulnerabilities in Chrome, including three demonstrated at Pwn2Own 2024. Users are strongly advised to update to Chrome version 128.0.6613.84/.85 for Windows and macOS, and version 128.0.6613.84 for Linux to protect against potential threats.