CVE-2024-7965

What is Chromium V8?

V8 is the open-source JavaScript and WebAssembly engine powering Chrome, Edge, Opera, and all Chromium-based applications. It compiles and optimizes JavaScript code via a JIT compiler (TurboFan) that makes type and value assumptions about objects for performance. When these assumptions are violated through crafted JavaScript, the result is memory corruption — the foundation for most modern browser exploit chains. V8 vulnerabilities are among the most valuable in offensive security, as they provide code execution within the renderer sandbox of the world's most-used browser engine.

Overview

CVE-2024-7965 is an inappropriate implementation vulnerability in V8 that allows a remote attacker to trigger heap corruption by serving a crafted HTML page. It was patched in Chrome 128.0.6613.84/.85 on August 21, 2024 — the same release that patched CVE-2024-7971 (a V8 type confusion zero-day confirmed by Microsoft Threat Intelligence and Google TAG as exploited by North Korean Citrine Sleet). CVE-2024-7965 was confirmed as a separate zero-day in the same update, reported by TheDog, an anonymous researcher. CISA added it to the KEV catalog seven days after the patch.

Affected Versions

Technical Details

CWE-787 (Out-of-Bounds Write). An "inappropriate implementation" in V8 refers to a logic flaw in the engine's handling of JavaScript constructs where the implementation deviates from the specification in a way that can be exploited — distinct from a pure type confusion or bounds check failure, but with similar exploitability. The result is heap corruption within the V8 sandbox, which can be used to:

1. Build arbitrary read/write primitives within the renderer process.
2. Execute code in the sandboxed Chrome renderer.
3. Chain with a second vulnerability to escape the sandbox for full OS compromise.

CVE-2024-7965 and CVE-2024-7971 were patched simultaneously, indicating Google discovered or was notified of both zero-days being used together in the same exploitation campaign.

Discovery

Reported by TheDog (anonymous researcher). The August 21, 2024 Chrome release patched both this and CVE-2024-7971 as confirmed zero-days — the simultaneous patch of two V8 zero-days in a single release reflects the urgency of confirmed active exploitation.

Exploitation Context

The August 2024 Chrome zero-day cluster (CVE-2024-7965 and CVE-2024-7971) was associated with the North Korea-linked Citrine Sleet / Lazarus Group campaign documented by Microsoft Threat Intelligence and Google TAG. The campaign targeted cryptocurrency industry employees and financial sector workers, delivering the FudModule rootkit as the final payload via a full exploit chain: browser V8 vulnerability → renderer code execution → Windows kernel privilege escalation (CVE-2024-38193, AFD.sys use-after-free) → FudModule rootkit for persistent kernel-level access.

Remediation

1. Update Chrome to 128.0.6613.84 (Linux) or .85 (Windows/Mac) or any later version.
2. Update all other Chromium-based browsers (Edge, Opera, Brave, etc.) to their corresponding patched releases.
3. Enable automatic browser updates — Chrome's auto-update is the fastest security delivery mechanism for any widely deployed software.
4. Organizations managing browser fleets: enforce minimum Chrome version via Chrome Enterprise policy.