UPDATE: Google on Wednesday fixed a zero-day vulnerability in its Chrome browser as part of a security update with 38 security patches overall.
The high-severity flaw (CVE-2024-7971) exists in the V8 Chrome browser engine. Like previous bugs found in V8, CVE-2024-7971 stems from a type confusion issue, which can occur when programs allocate a resource using one type but later access that resource using different, incompatible types. As is typical in its security advisories, Google on Aug. 21 did not give any further public details of the flaw, its impact, or the related exploitation activity, instead giving users the opportunity to upgrade to the fixed version before threat actors learned about its specifics.
As of Aug. 26, a second Chrome flaw disclosed in the security release, CVE-2024-7965, is also being actively exploited, according to Google. The bug is an inappropriate implementation error in V8 (CVE-2024-7965) that was reported by someone under the handle “TheDog” and earned them $11,000 on July 30,
“Google is aware that an exploit for CVE-2024-7971 exists in the wild,” according to the Wednesday advisory. “Chrome 128.0.6613.84 (Linux) 128.0.6613.84/.85( Windows, Mac) contains a number of fixes and improvements.”
The flaw was reported by Microsoft’s Threat Intelligence Center and the Microsoft Security Response Center on Aug. 19.
Outside of the zero-day flaw, Google disclosed six other high-severity flaws in Chrome, including a use-after-free flaw in Google Password Manager (CVE-2024-7964) that earned the anonymous reporter a reward of $36,000 and was reported Aug. 8 and an out-of-bounds memory access flaw in the Skia graphics library (CVE-2024-7966) reported by Renan Rios on July 25, earning $10,000.
Other high-severity flaws included a heap buffer overflow in Fonts (CVE-2024-7967), a use-after-free bug in Autofill (CVE-2024-7968) and a type confusion in V8 (CVE-2024-7969).
The fixed versions of Chrome 128 will roll out over the coming days and weeks, said Google. The zero day is the ninth one that Google has patched in Chrome in the past eight months. Many of these zero-day flaws have been found in V8, including two other type confusion bugs in May, one found by Google’s Threat Analysis Group and the other by Kaspersky researchers.
This article was updated on Aug. 27 with new active explotiation of a second flaw in the Google advisory.