Cyber Resilience

CVE-2024-7971

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 21 August 2024

Published
21 August 2024
Modified
24 October 2025
KEV Added
26 August 2024
Patch
30 August 2024
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0187 83.5th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-7971 is a critical-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 16.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

CVE-2024-7971 is a type confusion vulnerability in the V8 JavaScript engine within Google Chrome versions prior to 128.0.6613.84. The flaw permits heap corruption when a victim renders a specially crafted HTML page, carrying a CVSS 3.1 score of 9.6 and classified under CWE-843.

A remote attacker can trigger the issue by serving malicious web content that the target Chrome instance processes, resulting in arbitrary code execution with high impact on confidentiality, integrity, and availability and with scope change.

Chrome stable channel updates released on 21 August 2024 address the bug by advancing the V8 component to a fixed revision; the vulnerability is also tracked in CISA’s Known Exploited Vulnerabilities catalog, indicating that organizations should prioritize patching.

Microsoft has reported active exploitation of this zero-day by the North Korean threat actor Citrine Sleet, and the EPSS score rose materially from low values at disclosure to a peak of 0.0661 on 4 January 2025 before receding, indicating post-disclosure attacker interest.

EU & UK References

Vulnerability details

Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CWE(s)
KEV Date Added
26 August 2024

Related Threats

Threat-Actor AttributionAI

Microsoft attributes exploitation of this Chromium zero-day to the North Korean actor Citrine Sleet (Aug 2024 blog).

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1014 Rootkit Stealth
Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.
Why these techniques?

CVE-2024-7971 is a type confusion vulnerability in Chromium V8 enabling RCE via crafted HTML (T1203, often via drive-by compromise T1189). Advisory notes actor deploys FudModule rootkit post-exploitation (T1014).

Affected Assets

google
chrome
≤ 128.0.6613.84
microsoft
edge
≤ 128.0.2739.42

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor patch that upgrades Chrome to 128.0.6613.84 and eliminates the type-confusion flaw.

SC-18 Mobile Code partial match
prevent

Governs acceptance and execution of mobile code (JavaScript) in the browser, limiting the attack surface that triggers the V8 heap corruption.

preventdetect

Requires malicious-code protection mechanisms that can block or alert on crafted HTML/JS pages exploiting the zero-day.

References