⚠ Actively exploited
Added to CISA KEV on 2024-08-26. Federal agencies required to patch by 2024-09-16. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..

CVE-2024-7971

CWE-84314 documents12 sources
Severity
9.6CRITICAL
EPSS
1.5%
top 19.21%
CISA KEV
KEV
Added 2024-08-26
Due 2024-09-16
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Google ChromeMicrosoft Edge
Timeline
PublishedAug 21
KEV addedAug 26
KEV dueSep 16
Latest updateOct 29
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 2.8 | Impact: 6.0

Affected Packages4 packages

CVEListV5google/chrome128.0.6613.84128.0.6613.84
NVDgoogle/chrome< 128.0.6613.84
Debianchromium< 128.0.6613.84-1~deb12u1+2
NVDmicrosoft/edge< 128.0.2739.42

Patches

Patch: www.microsoft.com

🔴Vulnerability Details

4
GHSA
GHSA-pq5w-h3jm-m95c: Type confusion in V8 in Google Chrome prior to 1282024-08-21
CVEList
CVE-2024-7971: Type confusion in V8 in Google Chrome prior to 1282024-08-21
OSV
CVE-2024-7971: Type confusion in V8 in Google Chrome prior to 1282024-08-21
VulnCheck
Google Chromium V8 Type Confusion Vulnerability2024

📋Vendor Advisories

6
Chrome
Long Term Support Channel Update for ChromeOS: CVE-2024-79712024-10-29
Chrome
Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2024-79682024-09-09
CISA
Google Chromium V8 Type Confusion Vulnerability2024-08-26
Red Hat
chromium-browser: Type confusion in V8 in Google Chrome allows a remote attacker to exploit heap corruption via a crafted HTML page2024-08-21
Microsoft
Chromium: CVE-2024-7971 Type confusion in V82024-08-13

🕵️Threat Intelligence

3
Microsoft
North Korean threat actor Citrine Sleet exploiting Chromium zero-day2024-08-30
Bleepingcomputer
Google tags a tenth Chrome zero-day as exploited this year2024-08-26
Bleepingcomputer
Google fixes ninth Chrome zero-day tagged as exploited this year2024-08-21