V8 Engine Vulnerability CVE-2024-7965 Exploited: Google Updates Blog

Last week, Google released an urgent security update for Chrome to address a vulnerability, identified as CVE-2024-7971, which had already been exploited by hackers. This vulnerability, located in Chrome’s JavaScript V8 engine, is a type confusion error discovered and reported to Google by researchers from Microsoft’s Threat Intelligence Center and Microsoft Security Response Center.

At that time, Google also patched other security vulnerabilities. Today, Google updated its blog to reveal that the CVE-2024-7965 vulnerability had also been exploited by hackers. While Google previously had no evidence of exploitation, they now confirm that such evidence exists. The CVE-2024-7965 vulnerability was reported by a security researcher named TheDog and is also related to improper implementation in the V8 engine, which can be triggered by specially crafted HTML.

These vulnerabilities have all been fixed in Chrome version 128.0.6613.84/.85, and since this version was released five days ago, most users should have already been automatically updated to the latest version.

Google has yet to disclose the hacker groups exploiting these vulnerabilities or other related details. Typically, Google gradually discloses vulnerabilities only after most users are no longer affected. If the vulnerability involves third-party libraries, disclosure is often delayed to give developers more time to patch, preventing targeted attacks that could arise from early disclosure.

Any other browser based on the Chromium engine also needs to release updates to fix this vulnerability. Therefore, if you are using a Chromium-based browser such as Microsoft Edge, Vivaldi, or Brave, you should be attentive to subsequent updates.