CVE-2024-7971
Published: 21 August 2024
Summary
CVE-2024-7971 is a critical-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 16.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Deeper analysis
CVE-2024-7971 is a type confusion vulnerability in the V8 JavaScript engine within Google Chrome versions prior to 128.0.6613.84. The flaw permits heap corruption when a victim renders a specially crafted HTML page, carrying a CVSS 3.1 score of 9.6 and classified under CWE-843.
A remote attacker can trigger the issue by serving malicious web content that the target Chrome instance processes, resulting in arbitrary code execution with high impact on confidentiality, integrity, and availability and with scope change.
Chrome stable channel updates released on 21 August 2024 address the bug by advancing the V8 component to a fixed revision; the vulnerability is also tracked in CISA’s Known Exploited Vulnerabilities catalog, indicating that organizations should prioritize patching.
Microsoft has reported active exploitation of this zero-day by the North Korean threat actor Citrine Sleet, and the EPSS score rose materially from low values at disclosure to a peak of 0.0661 on 4 January 2025 before receding, indicating post-disclosure attacker interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-48804
Vulnerability details
Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
- KEV Date Added
- 26 August 2024
Related Threats
Threat-Actor AttributionAI
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-7971 is a type confusion vulnerability in Chromium V8 enabling RCE via crafted HTML (T1203, often via drive-by compromise T1189). Advisory notes actor deploys FudModule rootkit post-exploitation (T1014).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor patch that upgrades Chrome to 128.0.6613.84 and eliminates the type-confusion flaw.
Governs acceptance and execution of mobile code (JavaScript) in the browser, limiting the attack surface that triggers the V8 heap corruption.
Requires malicious-code protection mechanisms that can block or alert on crafted HTML/JS pages exploiting the zero-day.