Google discovered a security flaw that was fixed as part of a security update rolled out last week its Chrome browser was actively exploited in the wild.
Tracked as CVE-2024-7965The vulnerability was described as an inconsistent implementation bug in the V8 JavaScript engine and WebAssembly.
“A flawed implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit a heap corruption via a crafted HTML page,” it said. description about the bug in the NIST National Vulnerability Database (NVD).
The security researcher, who goes by the online pseudonym TheDog, was credited with discovering and reporting the flaw on July 30, 2024, earning him an $11,000 bug bounty.
No further details about the nature of attacks using the flaw or the identity of the threat actors that might exploit it have been released. However, the technology giant admitted that he knows about the existence of an exploit for CVE-2024-7965.
It also stated that “a wild exploit of CVE-2024-7965 (…) has been reported since this release.” However, it is currently unclear whether the weapon was actually a zero-day weapon before it was revealed last week.
Hacker News has reached out to Google for more information about the flaw, and we’ll update when we hear back.
So far, Google has looked at nine Chrome zero days since the start of 2024, including three that were demonstrated at Pwn2Own 2024 –
Users are strongly advised to update Chrome to version 128.0.6613.84/.85 for Windows and macOS and version 128.0.6613.84 for Linux to mitigate potential threats.
