Google has recently confirmed that two zero-day vulnerabilities, CVE-2024-7965 and CVE-2024-7971, have been actively exploited in the wild, posing a significant threat to Chrome users. CVE-2024-7965, with a CVSS score of 8.8, affects the V8 JavaScript engine in Chrome. This flaw involves improper implementation within the engine, enabling remote attackers to exploit heap corruption through a maliciously crafted HTML page, potentially allowing them to execute arbitrary code on the target system.
The related vulnerability, CVE-2024-7971, also resides in the V8 JavaScript engine and is due to a type confusion weakness. This vulnerability was identified by the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC). Both vulnerabilities have been actively exploited, prompting Google to update its security advisory on August 26, 2024, to reflect the ongoing risks. The Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2024-7971 to its Known Exploited Vulnerabilities (KEV) Catalog, highlighting the urgency of the situation.
In response, Google has released patches for both CVE-2024-7965 and CVE-2024-7971 in Chrome version 128.0.6613.84/.85 for Windows and macOS, and version 128.0.6613.84 for Linux. Chrome users are strongly urged to update their browsers immediately to protect against potential exploitation and secure their systems from these critical vulnerabilities.
