Google Chrome Faces Double Blow with New Zero-Day Flaw Exploits: CVE-2024-7965 and CVE-2024-7971
In a significant update to its security advisory, Google has confirmed that CVE-2024-7965, a high-severity zero-day vulnerability in the Chrome browser, has been actively exploited in the wild. This revelation comes as part of an ongoing effort to address critical flaws in the browser’s security, following an earlier disclosure of a related zero-day exploit, CVE-2024-7971.
Tracked as CVE-2024-7965, this newly highlighted vulnerability carries a CVSS score of 8.8, underscoring its potential impact. The flaw, discovered and reported by a security researcher known only as “TheDog,” resides in the V8 JavaScript engine that powers Google Chrome. The vulnerability stems from an inappropriate implementation within the engine, which could allow remote attackers to exploit heap corruption through a carefully crafted HTML page. This kind of attack can potentially give cybercriminals the ability to execute arbitrary code on the target system, leading to unauthorized access or further exploitation.
Google’s security advisory, initially released on August 21, 2024, was updated on August 26, 2024, to reflect the active exploitation of CVE-2024-7965. “Google is aware that exploits for CVE-2024-7971 and CVE-2024-7965 exist in the wild,” the company stated, marking the seriousness of the threat posed by these vulnerabilities.
In addition to CVE-2024-7965, Google has also disclosed CVE-2024-7971, a zero-day vulnerability rooted in a type confusion weakness within the same V8 JavaScript engine. This flaw was identified and reported by security researchers from the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC). Like CVE-2024-7965, this vulnerability has been exploited in the wild, raising concerns over the security of Chrome users worldwide.
CVE-2024-7971 has been added to the Known Exploited Vulnerabilities (KEV) Catalog by the Cybersecurity and Infrastructure Security Agency (CISA), further emphasizing the critical need for users to update their browsers promptly.
In response to these threats, Google has released patches for both zero-day vulnerabilities in Chrome version 128.0.6613.84/.85 for Windows and macOS, as well as version 128.0.6613.84 for Linux users.
