Google tags a tenth Chrome zero-day as exploited this year
Today, Google revealed that it patched the tenth zero-day exploited in the wild in 2024 by attackers or security researchers during hacking contests.
Tracked as CVE-2024-7965 and reported by a security researcher known only as TheDog, the now-patched high-severity vulnerability is caused by a bug in the compiler backend when selecting the instructions to generate for just-in-time (JIT) compilation.
Google describes the vulnerability as an inappropriate implementation in Google Chrome’s V8 JavaScript engine that can let remote attackers exploit heap corruption via a crafted HTML page.
This was announced in an update to a blog post where the company revealed last week that it had fixed another high-severity zero-day vulnerability (CVE-2024-7971) caused by a V8 type confusion weakness.
“Updated on 26 August 2024 to reflect the in the wild exploitation of CVE-2024-7965 which was reported after this release,” the company said in today’s update. “Google is aware that exploits for CVE-2024-7971 and CVE-2024-7965 exist in the wild.”
Google has fixed both zero-days in Chrome version 128.0.6613.84/.85 for Windows/macOS systems and version 128.0.6613.84 Linux users, which have been rolling out to all users in the Stable Desktop channel since Wednesday.
Even though Chrome will automatically update when security patches are available, you can also speed up this process and apply the updates manually by going to the Chrome menu > Help > About Google Chrome, letting the update finish, and clicking the ‘Relaunch’ button to install it.
While Google confirmed that the CVE-2024-7971 and CVE-2024-7965 vulnerabilities have been used in the wild, it has yet to share more information regarding these attacks.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google says.
“We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
Since the start of the year, Google has patched eight other zero-days tagged as exploited in attacks or during the Pwn2Own hacking contest:
- CVE-2024-0519: A high-severity out-of-bounds memory access weakness within the Chrome V8 JavaScript engine, allowing remote attackers to exploit heap corruption via a specially crafted HTML page, leading to unauthorized access to sensitive information.
- CVE-2024-2887: A high-severity type confusion flaw in the WebAssembly (Wasm) standard. It could lead to remote code execution (RCE) exploits leveraging a crafted HTML page.
- CVE-2024-2886: A use-after-free vulnerability in the WebCodecs API used by web applications to encode and decode audio and video. Remote attackers exploited it to perform arbitrary reads and writes via crafted HTML pages, leading to remote code execution.
- CVE-2024-3159: A high-severity vulnerability caused by an out-of-bounds read in the Chrome V8 JavaScript engine. Remote attackers exploited this flaw using specially crafted HTML pages to access data beyond the allocated memory buffer, resulting in heap corruption that could be leveraged to extract sensitive information.
- CVE-2024-4671: A high-severity use-after-free flaw in the Visuals component that handles the rendering and displaying of content in the browser.
- CVE-2024-4761: An out-of-bounds write problem in Chrome’s V8 JavaScript engine, which is responsible for executing JS code in the application.
- CVE-2024-4947: Type confusion weakness in the Chrome V8 JavaScript engine enabling arbitrary code execution on the target device.
- CVE-2024-5274: A type confusion Chrome’s V8 JavaScript engine that can lead to crashes, data corruption, or arbitrary code execution