The vulnerability that was fixed in an update released last week has found fresh exploitations in the wild. Credit: Shutterstock / 2lttgamingroom Google is warning Chrome users of a critical vulnerability being actively exploited in the wild even after a patch was available. The vulnerability, tracked as CVE-2024-7965, is an inappropriate implementation security flaw in the V8 JavaScript and WebAssembly engine that received a CVSS rating of 8.8 out of 10. Google, in the advisory released with the patch, noted that the vulnerability has come under active exploitations in the wild after the patch was released last week. Actively exploited While Google confirmed the bug has been actively exploited in the wild, it has yet to share additional information about the attacks. It is now known that the recently patched high-severity vulnerability was caused by a bug in the compiler backend during the selection of instructions for just-in-time (JIT) compilation. Google is calling it an “inappropriate implementation” bug, which refers to a type of security flaw that arises when a software or system is improperly designed or implemented, leading to unintended behavior that can be exploited by attackers. “Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” said a NIST national vulnerability database (NVD) description of the bug. Discovery of CVE-2024-7965 has been credited to one of Google’s Bug Bounty winners who goes by the moniker TheDog. The participant received $11,000 for their discovery of the bug. Google faces its 10th zero-day Despite limited information, several media reports are calling this the 10th zero-day vulnerability Google has suffered this year. The last bug that found exploitation in the wild before a fix was available was CVE-2024-7971, a type confusion vulnerability in V8 in Google Chrome. CVE-2024-7971, which also received a CVSS rating of 8.8 out of 10, was fixed by Google last week in the same release that also patched CVE-2024-7965. Both the flaws were fixed in Chrome version 128.0.6613.84/.85 for Windows/macOS systems and version 128.0.6613.84 Linux users. The other eight vulnerabilities that make up the list of zero-days Google faced include CVE-2024-0519, CVE-2024-2887, CVE-2024-2886, CVE-2024-3159, CVE-2024-4671, CVE-2024-4761, CVE-2024-4947, and CVE-2024-5274. The fixes have been rolled out to all users since the release and Google Chrome will automatically update with the available patch. More by Shweta Sharma: GitHub fixes critical Enterprise Server bug granting admin privileges SolarWinds fixes critical developer oversight Custodians looking to beat offenders in gen AI cybersecurity battle Related content news North Korean hackers actively exploited a critical Chromium zero-day Microsoft found the threat actor exploiting the bug two days before Google released a patch. By Shweta Sharma 02 Sep 2024 3 mins Zero-day vulnerability news China’s Volt Typhoon exploits Versa zero-day to hack US ISPs and IT firms The Chinese APT group leveraged the vulnerability to deploy a web shell that stole credentials from Versa Director SD-WAN deployments of ISPs, MSPs, and IT companies. By Lucian Constantin 27 Aug 2024 5 mins Advanced Persistent Threats Technology Industry Cyberattacks news analysis Microsoft patches six actively exploited vulnerabilities Microsoft’s August Patch Tuesday covered 10 zero-day flaws, of which six are being exploited in the wild and four are publicly disclosed. By Lucian Constantin 13 Aug 2024 6 mins Zero-day vulnerability Vulnerabilities PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe