Google is in the process of rolling out patches that address a high-severity security flaw in its Chrome browser. According to Google, this flaw has come under active exploitation in the wild.
The flaw (tracked as CVE-2024-7971) is a confusion bug in the V8 JavaScript and WebAssembly engine (h/t to The Hacker News). Google acknowledged the flaw in a blog post saying that the company is “aware that an exploit for CVE-2024-7971 exists in the wild.”
According to the National Vulnerability Database, this confusion bug “allowed a remote attacker to exploit heap corruption via a crafted HTML page.” For those unaware, heap corruption refers to memory exploits. In some cases they can be benign according to BlackBerry, however, they can also cause a fatal memory fault where the system won’t allow associated processes to occur.
In Google’s blog, they credit the Microsoft Threat Intelligence Center and the Microsoft Security Response Center for discovering and reporting the flaw on August 19.
As the time of writing, Google has not released any details about the nature of any attacks exploiting the flaw or who might have been weaponizing it. According to Hacker News, this is third type confusion page that has been patched this year by Google.
To apply Google’s fix, you’ll need to upgrade to Chrome version 128.0.6613.84/.85 for Windows and macOS. Linux users will need to update to version 128.0.6613.84. Again, the fix is being rolled out gradually so it might not immediately be available to all Chrome users. Make sure to check back frequently if you don’t see the new version just yet.
Other Chromium-based browsers may also be affected including Brave, Microsoft Edge, Opera and Vivaldi and users should apply any fixes as soon as they become available.