CVE-2024-7965 Google Chrome vulnerability affects Android smartphones and macOS laptops

Google reported the exploitation of CVE‑2024‑7965 on August 26, several days after releasing Chrome 128.0.6613.84 that addressed the security flaw. This vulnerability allows attackers to take control of the browser’s renderer when the victim opens a malicious website containing a specially crafted JavaScript code. CVE‑2024‑7965 has been given a CVSS score of 8.8/10.

According to a number of researchers, CVE‑2024‑7965 has been exploited in combination with CVE‑2024‑7964, a vulnerability in Chrome’s Privacy Sandbox. Together, these vulnerabilities enable adversaries to get control over the browser and steal such sensitive data as passwords, browsing history, and stored cookies. Successful exploitation can also result in the installation of spyware to monitor user activity in the browser.

CVE‑2024‑7965 also affects all Chromium‑based browsers. In some of them, the flaw may still need fixing.

The research has shown that the vulnerability impacts ARM64 devices, specifically Apple laptops released after November 2020 and all Android smartphones.

Our experts have found out that CVE‑2024‑7965 stems from the incorrect handling of values during the optimization of JavaScript code execution. This flaw enables attackers to write and read beyond the legitimate memory boundaries and consequently hijack code execution. Coupled with a common XSS vulnerability on a popular website subdomain (e.g., my.example.com), CVE‑2024‑7965 allows adversaries to steal user session data on the main domain with all its subdomains (e.g., example.com and mail.example.com). The consequences of such attacks range from the exposure of sensitive data to the installation of malware on the compromised device.

To protect their devices, users should update their browser to the latest version.