August 27, 2024 at 06:24AM
Google warns of an in-the-wild exploited bug, tracked as CVE-2024-7965, in Chrome 128.0.6613.84. The V8 JavaScript engine flawed implementation allows remote attackers to exploit heap corruption through crafted HTML pages, potentially executing code or accessing sensitive information. The US CISA added the bug to the Known Exploited Vulnerabilities catalog, urging organizations to apply available patches.
From the meeting notes, it’s clear that Google’s Chrome 128 update had addressed a zero-day vulnerability, but it has been reported that another bug resolved with the update (CVE-2024-7965) is being exploited in the wild. This bug, with a CVSS score of 8.8, is related to an inappropriate implementation in the V8 JavaScript engine and allows a remote attacker to exploit heap corruption via crafted HTML pages.
The exploitation of the security defect was reported after the release of the browser update, and it remains unclear whether the flaw was exploited as a zero-day. The bug affects Chrome releases before version 128.0.6613.84, which was released with patches for 37 vulnerabilities, including CVE-2024-7971, a type confusion bug in V8 that was exploited as a zero-day.
The US cybersecurity agency CISA added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog and has warned federal agencies to identify vulnerable instances in their environments and apply available patches by September 16, as per Binding Operational Directive (BOD) 22-01. CISA also advised all organizations to prioritize applying patches for the vulnerabilities listed in the KEV catalog.
It’s important for all relevant parties to take these warnings seriously and ensure that necessary patches are applied to mitigate these vulnerabilities.