UGCERT is aware of a high-severity security flaw in the Chrome browser that has come under active exploitation in the wild. Tracked as CVE-2024-7971, the vulnerability is a type of confusion bug in the V8 JavaScript and WebAssembly engine.
The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have been credited with discovering and reporting the flaw on August 19, 2024. No additional details about the nature of the attacks exploiting the flaw or the identity of the threat actors that may be weaponizing it have been released, primarily to ensure that most of the users are updated with a fix.
The tech giant, however, reported in a statement that it’s “aware that an exploit for CVE-2024-7971 exists in the wild.” It’s worth mentioning that CVE-2024-7971 is the third type confusion bug that it has patched in V8 this year after CVE-2024-4947 and CVE-2024-5274. Google has so far addressed nine zero-days in Chrome since the start of 2024, including three that were demonstrated at Pwn2Own 2024.
Users are recommended to upgrade to Chrome version 128.0.6613.84/.85 for Windows and macOS, and version 128.0.6613.84 for Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.