Google releases a critical security update for Chrome, addressing the CVE-2024-7971 zero-day vulnerability actively exploited in the wild. Update your browser now to stay protected

Continue reading
Google has urgently released a critical security update for Chrome to address a high-severity zero-day vulnerability identified as CVE-2024-7971. This flaw, actively exploited in the wild, has been tagged as a severe security threat due to its potential for arbitrary code execution on unpatched devices.
_"Google is aware that an exploit for CVE-2024-7971 exists in the wild,"_ the company stated in a security advisory published on Wednesday, August 21, 2024. The vulnerability, caused by a type of confusion weakness in Chrome's V8 JavaScript engine, was reported by security researchers from the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) just two days prior, on August 19, 2024.
Type confusion vulnerabilities like CVE-2024-7971 occur when the browser interprets data incorrectly due to type misclassification. This flaw, when exploited, allows attackers to manipulate the memory, potentially leading to browser crashes or even worse—executing arbitrary code on the targeted system. Such an exploit could give attackers full control over the victim's device, making it a critical concern for users and organizations alike.
Historically, type confusion flaws in V8 have been used in sophisticated attacks, particularly for remote code execution (RCE) exploits. These can be deployed via maliciously crafted web pages, often without the user's knowledge, making it crucial to apply security patches immediately.
Google has promptly addressed this vulnerability with the release of Chrome version 128.0.6613.84/.85 for Windows and macOS, and version 128.0.6613.84 for Linux. These updates will be gradually rolled out to all users in the Stable Desktop channel over the next few weeks.
While Chrome typically updates automatically when new security patches are available, users can expedite the process by manually checking for updates. To do this:
This proactive approach ensures your browser is immediately protected against the exploit, reducing the window of vulnerability.
CVE-2024-7971 marks the ninth zero-day vulnerability patched by Google this year. These zero-day vulnerabilities are particularly concerning because they are often exploited before a fix is available, as was the case with several others earlier in 2024, including:
These vulnerabilities highlight the critical need for maintaining up-to-date software, particularly in widely used applications like Chrome, where exploits can have far-reaching consequences.
The latest Chrome update (version 128.0.6613.84/.85) includes 38 security fixes, many of which were contributed by external security researchers. These fixes span a range of issues from high-severity use-after-free vulnerabilities to low-severity implementation flaws. Here are some notable patches:
In addition to these, Google continues to refine Chrome's security through internal audits, fuzzing, and other initiatives, leveraging advanced tools like AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL to detect and address vulnerabilities before they reach the stable channel.
The patch for CVE-2024-7971 underscores the ongoing threat of zero-day vulnerabilities and the importance of staying vigilant in cybersecurity practices. Users and organizations must prioritize updating their Chrome browsers to mitigate the risk of exploitation. The continuous identification of vulnerabilities, both by internal teams and external researchers, highlights the need for a collaborative approach to cybersecurity, ensuring that threats are addressed swiftly and effectively.
Action Required: Update your Google Chrome browser immediately to version 128.0.6613.84/.85 for Windows/macOS and 128.0.6613.84 for Linux to protect against this critical zero-day vulnerability.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.