U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Google Chromium V8 bug to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Google Chromium V8 Inappropriate Implementation Vulnerability CVE-2024-38856 (CVSS score of 8.8) to its Known Exploited Vulnerabilities (KEV) catalog.
This week Google released a security update to address the Chrome zero-day vulnerability CVE-2024-7965 that is actively exploited.
The vulnerability is an Inappropriate implementation issue that resides in Chrome’s V8 JavaScript engine.
“Google is aware that exploits for CVE-2024-7971 and CVE-2024-7965 exist in the wild.” reads the advisory published by the company that did not share details about the attacks exploiting the issue. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”.
“We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
The security researcher TheDog reported the flaw on 2024-07-30.
Google addressed the vulnerability with the release of 128.0.6613.84/.85 for Windows/macOS and 128.0.6613.84 (Linux). The company will release versions for all users in the Stable Desktop channel over the coming weeks.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this vulnerability by September 18, 2024.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)