Google is rolling out patches to address a serious security flaw in its Chrome browser that Google says has been actively exploited in the wild.
The flaw (identified as CVE-2024-7971) is a confusion bug in the V8 JavaScript engine and WebAssembly (thanks to The Hacker News). Google acknowledged the flaw in a blog post stating that the company is “aware that an exploit for CVE-2024-7971 exists in the wild.”
According to the National Vulnerability Database, this confusion bug “allowed a remote attacker to exploit heap corruption via a specially crafted HTML page.” For those unaware, heap corruption refers to memory exploits. In some cases, they can be benign according to BlackBerry, but they can also cause a fatal memory error where the system will not allow the associated processes to occur.
In Google's blog, they credit the Microsoft Threat Intelligence Center and Microsoft Security Response Center with discovering and reporting the flaw on August 19.
At the time of writing, Google has not yet released details on the nature of the attacks exploiting the flaw or who may have weaponized it. According to Hacker News, this is the third type of confusion page that Google has patched this year.
To apply Google's patch, you'll need to upgrade to Chrome version 128.0.6613.84/.85 for Windows and macOS. Linux users will need to update to version 128.0.6613.84. Again, the patch is being rolled out gradually and may not be available to all Chrome users right away. Be sure to check back regularly if you don't see the new version yet.
Other Chromium-based browsers may also be affected, including Brave, Microsoft Edge, Opera, and Vivaldi, and users should apply patches as soon as they become available.