Security update includes two exploited high severity vulnerabilities in Google Chrome

Threat ID:CC-4539

Threat Severity:Medium

Published:22 August 2024 3:12 PM

Summary

Affected platforms

The following platforms are known to be affected:

Versions: all prior to 128.0.6613.84/.85

Google Chrome

Threat details

Introduction

Google has released Chrome version 128.0.6613.84/.85 for Linux, Windows, and Mac. Of note, two high severity vulnerabilities are reported as exploited in the wild, which are outlined below.

CVE-2024-7971 - A remote attacker could exploit this type confusion vulnerability in V8, via a specially crafted HTML page.
CVE-2024-7965 - A remote attacker could exploit this heap corruption vulnerability in V8 via a specially crafted HTML page

The update also addresses an additional five high, nine medium, and four low severity vulnerabilities.

Exploitation of CVE-2024-7971 and CVE-2024-7965

Google is aware that exploits for CVE-2024-7971 and CVE-2024-7965 exist in the wild.

Threat updates


28 Aug 2024	Exploitation of CVE-2024-7965 reported in advisory update

Remediation advice

Affected organisations are encouraged to review the Chrome Release 128.0.6613.84/.85 Stable Channel advisory and apply the update for the latest release.

Definitive source of threat updates

https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html

CVE Vulnerabilities

StatusPublished

CVE-2024-7971Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

StatusPublished

CVE-2024-7965Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Last edited: 28 August 2024 2:16 pm