Google patches its tenth zero-day of 2024 in Chrome, CVE-2024-7965, a high-severity vulnerability exploited in the wild. Discover how this flaw in the V8 JavaScript engine allowed remote code execution...

Continue reading
Google disclosed the patching of yet another critical zero-day vulnerability exploited in the wild within its Chrome browser. This marks the tenth zero-day of 2024, a worrying trend that underscores the escalating intensity of cyber threats targeting widely used applications like Chrome. The vulnerability, tracked as CVE-2024-7965, was reported by a security researcher known only as "TheDog" and was swiftly patched to prevent further exploitation.
The vulnerability lies within Chrome's V8 JavaScript engine, specifically in the compiler backend responsible for Just-In-Time (JIT) compilation. The bug is classified as an "inappropriate implementation," which allows remote attackers to exploit heap corruption via a crafted HTML page. This type of vulnerability is particularly dangerous as it can be weaponized to execute arbitrary code on the target system, potentially leading to full system compromise.
JIT compilation is a critical feature in modern browsers, designed to optimize the execution of JavaScript by converting code into machine language on-the-fly. However, its complexity also makes it a prime target for attackers, as vulnerabilities in this component can have far-reaching consequences.
Google has addressed the CVE-2024-7965 vulnerability in Chrome versions 128.0.6613.84/.85 for Windows and macOS, and version 128.0.6613.84 for Linux. The updates have been rolled out via the Stable Desktop channel since Wednesday, August 21, 2024. Users are strongly advised to ensure their browsers are up-to-date, as the patch mitigates not only CVE-2024-7965 but also CVE-2024-7971, another high-severity zero-day related to type confusion in the V8 engine, disclosed and patched earlier this month.
The exploitation of CVE-2024-7965 in the wild suggests that attackers were actively targeting users before the patch was available. This highlights the critical importance of keeping software updated, especially in environments where web browsers serve as a primary interface to the internet. Vulnerabilities in components like JIT compilers are particularly dangerous because they can be triggered by simply visiting a malicious or compromised website, without any further user interaction.
The immediate application of security patches is crucial. Although Chrome is configured to update automatically, users can manually expedite this process by navigating to the Chrome menu > Help > About Google Chrome. Once the update is applied, restarting the browser by clicking the "Relaunch" button ensures that the patches are active.
Google has a long-standing policy of delaying detailed disclosure of vulnerabilities until a majority of users have applied the necessary updates. This approach minimizes the window of opportunity for attackers to exploit the vulnerability on unpatched systems. In the case of CVE-2024-7965, Google has not yet released comprehensive details, likely because the vulnerability may still exist in third-party libraries used by other projects. The company has committed to retaining restrictions on access to bug details until all affected parties have had the opportunity to implement fixes.
The patching of CVE-2024-7965 brings the total number of zero-days addressed by Google in 2024 to ten. This growing trend underscores the evolving nature of cyber threats and the increasing sophistication of attackers who are continually finding new ways to exploit even the most secure systems. The other significant zero-days patched by Google this year include:
Ensure your Chrome browser is up-to-date to stay protected against these vulnerabilities.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.