Google has issued a warning about an active exploitation of a security flaw in its Chrome browser, identified as CVE-2024-7965. This vulnerability, which was addressed in a recent software update, involves an inappropriate implementation issue in the V8 JavaScript and WebAssembly engine.
The flaw, described in the NIST National Vulnerability Database (NVD) as an “inappropriate implementation” in V8 before Chrome version 128.0.6613.84, allows remote attackers to potentially exploit heap corruption via a specially crafted HTML page.
The vulnerability was discovered by security researcher known online as TheDog, who reported it on July 30, 2024, and received a bug bounty of $11,000. Although details about the specific attacks exploiting this flaw and the identity of the threat actors remain undisclosed, Google has confirmed that active exploitation of CVE-2024-7965 has been observed.
It remains unclear whether this flaw was weaponized as a zero-day before its public disclosure last week. Google has addressed a total of nine zero-day vulnerabilities in Chrome in 2024, including several that were demonstrated at Pwn2Own 2024.
Users are advised to upgrade to Chrome version 128.0.6613.84/.85 for Windows and macOS, and version 128.0.6613.84 for Linux to protect against potential threats.