Lucene search

The Hacker NewsTHN:FD3B14B21E8671B91D42736825698EF4

HistoryAug 27, 2024 - 4:45 a.m.

Google Warns of CVE-2024-7965 Chrome Security Flaw Under Active Exploitation

2024-08-2704:45:00

The Hacker News

thehackernews.com

google

chrome

cve-2024-7965

security flaw

v8 engine

exploitation

nist

bug bounty

zero-day

upgrade

threat mitigation

cybersecurity

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

9.1

Confidence

High

EPSS

0.258

Percentile

96.8%

JSON

Google has revealed that a security flaw that was patched as part of a software update rolled out last week to its Chrome browser has come under active exploitation in the wild.

Tracked as CVE-2024-7965, the vulnerability has been described as an inappropriate implementation bug in the V8 JavaScript and WebAssembly engine.

“Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” according to a description of the bug in the NIST National Vulnerability Database (NVD).

A security researcher who goes by the online pseudonym TheDog has been credited with discovering and reporting the flaw on July 30, 2024, earning them a bug bounty of $11,000.

Additional specifics about the nature of the attacks exploiting the flaw or the identity of the threat actors that may be utilizing it have not been released. The tech giant, however, acknowledged that it’s aware of the existence of an exploit for CVE-2024-7965.

It also said, “in the wild exploitation of CVE-2024-7965 […] was reported after this release.” That said, it’s currently not clear if the flaw was weaponized as a zero-day prior to its disclosure last week.

The Hacker News has reached out to Google for further information about the flaw, and we will update the story if we hear back.

Google has so far addressed nine zero-days in Chrome since the start of 2024, including three that were demonstrated at Pwn2Own 2024 -

CVE-2024-0519 - Out-of-bounds memory access in V8
CVE-2024-2886 - Use-after-free in WebCodecs (demonstrated at Pwn2Own 2024)
CVE-2024-2887 - Type confusion in WebAssembly (demonstrated at Pwn2Own 2024)
CVE-2024-3159 - Out-of-bounds memory access in V8 (demonstrated at Pwn2Own 2024)
CVE-2024-4671 - Use-after-free in Visuals
CVE-2024-4761 - Out-of-bounds write in V8
CVE-2024-4947 - Type confusion in V8
CVE-2024-5274 - Type confusion in V8
CVE-2024-7971 - Type confusion in V8

Users are highly recommended to upgrade to Chrome version 128.0.6613.84/.85 for Windows and macOS, and version 128.0.6613.84 for Linux to mitigate potential threats.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.