TLDR:
Google warns of another exploited high-severity vulnerability in Chrome 128, tracked as CVE-2024-7965, allowing remote attackers to exploit heap corruption via crafted HTML pages. This issue affects Chrome releases before version 128.0.6613.84 and is being exploited in the wild along with CVE-2024-7971. CISA added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply patches by September 16 under BOD 22-01.
Article Summary:
Less than a week after releasing Chrome 128 to address a zero-day vulnerability, Google now warns that another bug resolved with the update is being exploited in the wild. The vulnerability, tracked as CVE-2024-7965, allows remote attackers to exploit heap corruption through crafted HTML pages. If a user visits a compromised website, attackers could execute code or access sensitive information.
This vulnerability affects Chrome versions before 128.0.6613.84, which was released last week with patches for a total of 37 vulnerabilities, including another exploited CVE-2024-7971, a type confusion bug in V8. The US cybersecurity agency CISA has added both zero-days to its KEV catalog, warning of potential risks to web browsers using Chromium.
In response to the exploited vulnerabilities, CISA has issued a Binding Operational Directive (BOD) 22-01, urging federal agencies to identify and patch these flaws by September 16. While the BOD only applies to federal agencies, all organizations are encouraged to prioritize patching vulnerabilities listed in the KEV catalog to mitigate risks.