Google has released urgent security updates to address a critical flaw in its Chrome browser, which is reportedly being actively exploited. The vulnerability, identified as CVE-2024-7971, is a type confusion bug in the V8 JavaScript and WebAssembly engine.
The National Institute of Standards and Technology (NIST) describes CVE-2024-7971 as a flaw that allows remote attackers to exploit heap corruption through a specially crafted HTML page. This issue affects versions of Chrome prior to 128.0.6613.84.
The flaw was discovered and reported by the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) on August 19, 2024. While specific details regarding the attacks or the threat actors involved have not been disclosed, Google has confirmed that an exploit for CVE-2024-7971 is currently active.
This is the third type confusion vulnerability patched by Google in the V8 engine this year, following CVE-2024-4947 and CVE-2024-5274. To date, Google has addressed nine zero-day vulnerabilities in Chrome in 2024, including several demonstrated at the Pwn2Own 2024 hacking competition:
- CVE-2024-0519: Out-of-bounds memory access in V8
- CVE-2024-2886: Use-after-free in WebCodecs
- CVE-2024-2887: Type confusion in WebAssembly
- CVE-2024-3159: Out-of-bounds memory access in V8
- CVE-2024-4671: Use-after-free in Visuals
- CVE-2024-4761: Out-of-bounds write in V8
- CVE-2024-4947: Type confusion in V8
- CVE-2024-5274: Type confusion in V8
To protect against potential threats, users are advised to update to Chrome version 128.0.6613.84 or 128.0.6613.85 on Windows and macOS, and version 128.0.6613.84 on Linux. Additionally, users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should also apply the latest updates as they become available.
Related topics:
What Is the Most Advanced Form of Deep Learning Image Synthesis?