August 22, 2024
A high-severity flaw in Google's Chrome browser, which has been actively exploited in the wild, has been fixed by security updates recently released by the company. The vulnerability, CVE-2024-7971, was found to be a type confusion issue in the V8 JavaScript and WebAssembly engine.
National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) reported that type confusion in V8 prior to version 128.0.6613.84 of Google Chrome, a remote attacker could exploit heap corruption through a specially crafted HTML page.
On August 19, 2024, the flaw was discovered and reported by the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC). However, specific details about the attacks that exploited this flaw or the identities of the threat actors have not been disclosed yet. Google is prioritizing to ensure that most users have updated their browsers with the fix.
Google has acknowledged the awareness of an exploit for CVE-2024-7971 in a brief statement, which is currently being active in the wild. This marks the third instance of type confusion vulnerability in V8 that Google has addressed this year, with the previous vulnerabilities being CVE-2024-4947 and CVE-2024-5274.
In total, Google has made acknowledgments of nine zero-day vulnerabilities in Chrome since the beginning of 2024, including three demonstrated at Pwn2Own 2024:
- CVE-2024-0519: Out-of-bounds memory access in V8
- CVE-2024-2886: Use-after-free in WebCodecs (demonstrated at Pwn2Own 2024)
- CVE-2024-2887: Type confusion in WebAssembly (demonstrated at Pwn2Own 2024)
- CVE-2024-3159: Out-of-bounds memory access in V8 (demonstrated at Pwn2Own 2024)
- CVE-2024-4671: Use-after-free in Visuals
- CVE-2024-4761: Out-of-bounds write in V8
- CVE-2024-4947: Type confusion in V8
- CVE-2024-5274: Type confusion in V8
It is recommended that users update their Chrome browser to version 128.0.6613.84/.85 for Windows and macOS, and version 128.0.6613.84 for Linux to mitigate any potential risks. This applies to those using Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi as well, and updates should be applied as soon as they become available.