Google has issued security updates to mitigate a high-severity vulnerability in Chrome, which is currently being exploited in the wild.
The flaw, identified as CVE-2024-7971, is categorized as a type confusion issue within the V8 JavaScript and WebAssembly engine. According to the National Vulnerability Database (NVD) maintained by NIST, “Type confusion in V8 in Google Chrome prior to version 128.0.6613.84 allowed a remote attacker to cause heap corruption through a specially crafted HTML page.”
This vulnerability was discovered and reported by the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) on August 19, 2024. Specifics about the nature of the exploitation or the identities of the attackers have not been disclosed to ensure widespread update adoption.
Google has confirmed the existence of an exploit for CVE-2024-7971 “in the wild,” noting that this is the third type confusion vulnerability addressed in the V8 engine this year, following CVE-2024-4947 and CVE-2024-5274.
To date, Google has rectified nine zero-day vulnerabilities in Chrome since the beginning of 2024, including three showcased at Pwn2Own 2024:
- CVE-2024-0519: Out-of-bounds memory access in V8
- CVE-2024-2886: Use-after-free in WebCodecs (demonstrated at Pwn2Own 2024)
- CVE-2024-2887: Type confusion in WebAssembly (demonstrated at Pwn2Own 2024)
- CVE-2024-3159: Out-of-bounds memory access in V8 (demonstrated at Pwn2Own 2024)
- CVE-2024-4671: Use-after-free in Visuals
- CVE-2024-4761: Out-of-bounds write in V8
- CVE-2024-4947: Type confusion in V8
- CVE-2024-5274: Type confusion in V8
Users are urged to update to version 128.0.6613.84/.85 for Windows and macOS, and version 128.0.6613.84 for Linux to guard against potential threats. Those using Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should also apply these updates as they become available.