CVE-2024-7965
Published: 21 August 2024
Summary
CVE-2024-7965 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 4.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).
Deeper analysis
CVE-2024-7965 is an inappropriate implementation flaw in the V8 JavaScript engine that affects Google Chrome versions prior to 128.0.6613.84. The issue stems from insufficient bounds checking that can lead to heap corruption when processing a specially crafted HTML page, corresponding to CWE-787 and CWE-358. It carries a CVSS 3.1 base score of 8.8 reflecting network attack vector, low complexity, and no required privileges.
An unauthenticated remote attacker can exploit the vulnerability by convincing a user to visit a malicious web page, after which successful exploitation may allow arbitrary code execution within the renderer process with the potential to compromise confidentiality, integrity, and availability of the browser.
The official Chrome stable channel update released on 21 August 2024 upgrades V8 to a fixed version; administrators are advised to ensure all desktop and mobile instances are updated promptly. The vulnerability is also tracked in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.
EPSS scores rose from low values at disclosure to a peak of 0.2753 on 23 September 2024 before receding to the current 0.2280, indicating measurable post-disclosure exploitation interest that warrants continued monitoring.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-48798
Vulnerability details
Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
- KEV Date Added
- 28 August 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patch that advances V8 to 128.0.6613.84 and eliminates the heap-corruption flaw.
Enforces malicious-code detection and blocking on web content before a crafted HTML page can trigger the V8 vulnerability.
Enables continuous monitoring of browser processes and anomalous memory behavior that would indicate attempted exploitation of CVE-2024-7965.