"Google Warns of Exploited Chrome Vulnerability"

Less than a week after releasing Chrome 128 to the stable channel, Google warns that another bug resolved with the update is being exploited in the wild.  The issue tracked as CVE-2024-7965 (CVSS score of 8.8) is described by Google as an inappropriate implementation in the V8 JavaScript engine that allows a remote attacker to exploit heap corruption via crafted HTML pages.  Google noted that if the victim visits a compromised or malicious web page, the vulnerability could allow the attacker to execute code or access sensitive information.  Google stated that the in-the-wild exploitation of the security defect was reported after the browser update was released but did not clarify whether the flaw was exploited as a zero-day.  CVE-2024-7965 affects Chrome releases before version 128.0.6613.84, which was released last week with patches for 37 vulnerabilities, including CVE-2024-7971, a type confusion bug in V8 that was exploited as a zero-day.  The US cybersecurity agency CISA added the zero-day to its Known Exploited Vulnerabilities (KEV) catalog, warning that it could affect web browsers that utilize Chromium, such as Chrome, Edge, and Opera.  CISA says there is evidence that CVE-2024-7971 was exploited in the wild without providing details on the observed attacks. With the flaw added to KEV, federal agencies have until September 16 to identify vulnerable instances in their environments and apply the available patches, as Binding Operational Directive (BOD) 22-01 mandates.

SecurityWeek reports: "Google Warns of Exploited Chrome Vulnerability"