August 22, 2024Ravie LakshmananBrowser Security / Vulnerability

Google has rolled out security fixes to address a high-severity security vulnerability in the Chrome browser that Google says is being actively exploited.

Followed as CVE-2024-7971The vulnerability has been described as a type confusion bug in the V8 JavaScript and WebAssembly engine.

“A type confusion vulnerability in version 8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page,” according to a description of the bug in the NIST National Vulnerability Database (NVD).

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) are credited with discovering and reporting the breach on August 19, 2024.

No additional details have been released about the nature of the attacks exploiting the vulnerability or the identities of the threat actors who may be using it as a weapon. This is primarily to ensure that most users are aware of the fix.

However, the tech giant did admit in a terse statement that it is “aware that an exploit for CVE-2024-7971 exists in the wild.” It’s worth noting that CVE-2024-7971 is the third type of confusion bug it’s patched in V8 this year, following CVE-2024-4947 and CVE-2024-5274.

Google has so far addressed nine zero-days in Chrome since early 2024, including three that were demonstrated at Pwn2Own 2024 –

Users are advised to upgrade to Chrome version 128.0.6613.84/.85 for Windows and macOS, and version 128.0.6613.84 for Linux to mitigate potential threats.

Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes once available.