FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

Exploit
CVE-2024-7971

Access of Resource Using Incompatible Type ('Type Confusion') (CWE-843)

Published: Aug 21, 2024

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

Type confusion in V8 in Google Chrome prior to version 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page. This vulnerability is categorized as a "Type Confusion" issue, specifically related to CWE-843 (Access of Resource Using Incompatible Type).

Impact

This vulnerability could allow a remote attacker to exploit heap corruption, potentially leading to arbitrary code execution or data manipulation. The impact is considered high, as it affects the V8 JavaScript engine, a critical component of Google Chrome. Successful exploitation could compromise the integrity and security of the browser, potentially exposing user data or allowing an attacker to gain control of the affected system. The vulnerability has a CVSS v3.1 base score of 8.8, indicating a high severity level. It requires user interaction but can be exploited over the network without privileges, potentially affecting confidentiality, integrity, and availability.

Exploitation

There is no evidence that a public proof-of-concept exists. The vulnerability is actively being exploited in the wild and was added to the CISA Known Exploited Vulnerability list. Its exploitation has been reported by various sources, including inthewild.io. Malware such as AppleJeus (MacOS) (source:Security News Archives), BlueNoroff (source:Newswires), FudModule (source:BleepingComputer) are known to have weaponized this vulnerability. Threat actors including UNC4736 (source:Security News Archives), Lazarus Group (source:Security Response / @msftsecresponse) have reportedly exploited this vulnerability.

Patch

A patch is available. Google has addressed this vulnerability in Chrome version 128.0.6613.84. The patch was released on August 21, 2024.

Mitigation

1. Immediately update Google Chrome to version 128.0.6613.84 or later. 2. Enable automatic updates for Google Chrome to ensure timely application of security patches. 3. Implement network segmentation and restrict access to untrusted websites. 4. Use browser isolation technologies to contain potential exploits. 5. Educate users about the risks of visiting untrusted websites or opening suspicious HTML content.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-7971. See article

Aug 21, 2024 at 8:15 PM / inTheWild.io Exploitations
Exploitation in the Wild

Attacks in the wild have been reported by inTheWild.io Exploitations. See article

Aug 21, 2024 at 8:15 PM / inTheWild.io Exploitations
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Aug 21, 2024 at 8:15 PM
Exploitation in the Wild

Attacks in the wild have been reported by CISA Known Exploited Vulnerability.

Aug 26, 2024 at 11:00 AM / CISA Known Exploited Vulnerability
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (6245687)

Aug 28, 2024 at 7:53 AM
Threat Intelligence Report

The vulnerability CVE-2024-7971 in Google Chrome prior to version 128.0.6613.84 is a critical Type confusion vulnerability with a CVSS score of 8.8. It allows a remote attacker to exploit heap corruption via a crafted HTML page. There are no proof-of-concept exploits available, but users should update to the latest version to mitigate the risk of exploitation. See article

Aug 30, 2024 at 1:32 AM
Trending

This CVE stopped trending in security discussions

Aug 30, 2024 at 9:41 AM
Attribution of Exploits

The vulnerability is known to be exploited by Lazarus Group. See article

Aug 30, 2024 at 4:55 PM / Security Response / @msftsecresponse
Attribution of Exploits

The vulnerability is known to be exploited by FudModule. See article

Aug 30, 2024 at 5:05 PM / BleepingComputer
Static CVE Timeline Graph

Affected Systems

Google/chrome
+null more

Proof Of Exploit

https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html
+null more

Patches

Google Chrome chrome-128.0.6613.84
+null more

Links to Malware Families

BlueNoroff
+null more

Links to Threat Actors

Lazarus Group
+null more

References

Long Term Support Channel Update for ChromeOS
Google Chrome Releases / 21d
A new LTS-126 version 126.0.6478.256 (Platform Version: 15886.81.0), has rolled out for most ChromeOS devices. This version includes selected security fixes including: 360700873 High CVE-2024-7971 Type Confusion in V8 368208152 High CVE- 2024-9369 Insufficient data validation in Mojo Release notes for LTS-126 can be found here Want to know more about Long-term Support? Click here Giuliana Pritchard Google ChromeOS
Long Term Support Channel Update for ChromeOS
Chrome Releases / 21d
A new LTS-126 version 126.0.6478.256 (Platform Version: 15886.81.0), has rolled out for most ChromeOS devices. This version includes selected security fixes including: 360700873 High CVE-2024-7971 Type Confusion in V8 368208152 High CVE- 2024-9369 Insufficient data validation in Mojo Release notes for LTS-126 can be found here Want to know more about Long-term Support? Click here Giuliana Pritchard Google ChromeOS
CVE-2024-7971 – Google Chrome Security Vulnerability – August 2024 - Security Boulevard
"Google Chrome" - Google News / 2mo
CVE-2024-7971 – Google Chrome Security Vulnerability – August 2024 Security Boulevard
See 20 more references

News

Google Dorks for Bug Bounty: A Treasure Trove for Cybersecurity Enthusiasts
Textify Analytics / 5h
For cybersecurity professionals and bug bounty hunters, Google Dorks is an invaluable tool for reconnaissance and vulnerability assessment. For example, a simple Google Dork query can reveal exposed databases, login pages, and other critical information.
Vulnerability of Cookie-Based Authentication in the Age of AI
Textify Analytics / 10d
One of the primary concerns is the susceptibility of cookies to various attacks, such as cross-site scripting (XSS), cross-site request forgery (CSRF), and session hijacking. This vulnerability is particularly concerning for cookie-based authentication, as it can lead to unauthorized access to sensitive information and user accounts.
Release notes for Microsoft Edge Security Updates
Microsoft Learn: Build skills that open doors in your career / 12d
Microsoft has a fix for CVE-2024-4947 to Microsoft Edge Stable Channel (Version 125.0.2535.51), which has been reported by the Chromium team as having an exploit in the wild. Microsoft has a fix for CVE-2024-5274 to Microsoft Edge Stable Channel (Version 125.0.2535.67) and Extended Stable Channel (Version 124.0.2478.127), which has been reported by the Chromium team as having an exploit in the wild.
qt5-webengine -- Multiple vulnerabilities
FreeBSD VuXML / 18d
NITDA warns of new malware spread through LinkedIn job scams - Techpoint Africa
Google Alert - "zero-day" / 20d
Nigeria’s National Information Technology Development Agency (NITDA) has warned that cyber attackers are using LinkedIn to spread a new malware variant called ‘CovertCatch.’ In its alert, NITDA advised organisations and individuals to beware of unsolicited job offers or recruitment messages on LinkedIn, especially those requesting file downloads or linking to external sites.
See 480 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

CVSS 8.8(18246)CWE-843(541)Google(10689)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial