Photo: In Green / Shutterstock.com
Google has released Chrome 128 to the browser’s stable channel, fixing 38 vulnerabilities. Seven of the fixed issues are high-severity vulnerabilities, with one already being actively exploited, as the search giant reported.
The vulnerability in question is CVE-2024-7971, a type confusion bug in the V8 JavaScript engine powering Chrome and other Chromium-based browsers. On August 19, Microsoft’s Security Response Center (MSRC) and Threat Intelligence Center (MSTIC) teams caught and reported the bug.
In typical fashion, the search giant didn’t disclose any information about potential exploitation, simply claiming that it is aware of an explosion in the wild in its advisory. Other high-severity issues include the following:
- CVE-2024-7964: Use after free vulnerability in Passwords.
- CVE-2024-7965: Inappropriate implementation in the V8 JavaScript engine.
- CVE-2024-7966: Out-of-bounds memory access bug in Skia.
- CVE-2024-7967: Heap buffer overflow in Fonts.
- CVE-2024-7968: Use after free vulnerability in Autofill
- CVE-2024-7969: Type confusion in V8 JavaScript engine.
Out of the 38 vulnerabilities, 20 were reported by external researchers. Google handed out nearly $95,000 in bug bounties for these issues, with the highest reward of $36,000 going to an anonymous researcher who reported the use-after vulnerability in Passwords dubbed CVE-2024-7964. However, the bounties for several vulnerabilities, including the actively exploited CVE-2024-7971, have yet to be decided, meaning the final bounty amount can still go much higher.
This is also the sixth Chrome zero-day exploit that the search giant has patched in 2024. For now, version 128.0.6613.84 for Linux and versions 128.0.6613.84/.85 for macOS and Windows are the latest iterations for Chrome, and users are advised to update their browsers as soon as possible.
In the News: Recall AI feature is finally coming to Windows in October 2024
