CVE-2024-7971

What is Chromium V8?

V8 is the open-source JavaScript and WebAssembly engine developed by Google, used in Chrome, Microsoft Edge, Opera, and any application built on the Chromium project. V8 is responsible for parsing and executing JavaScript code encountered while browsing the web. As the most complex and performance-critical component of the browser, V8 is a frequent target for browser exploit chains — a vulnerability in V8 that achieves heap corruption is typically the first stage in a two-step browser exploit: V8 RCE followed by a sandbox escape to execute code on the underlying OS.

Overview

CVE-2024-7971 is a type confusion vulnerability in V8 that allows a remote attacker to trigger heap corruption by serving a crafted HTML page to a victim who visits it. Exploited as a zero-day in the wild, Google patched it in Chrome 128.0.6613.84/.85 on August 21, 2024. Microsoft Threat Intelligence linked active exploitation to North Korean threat actors targeting the cryptocurrency sector, consistent with a pattern of North Korea-linked APTs (Lazarus Group / APT38 / Citrine Sleet) using browser zero-days to compromise cryptocurrency developers, traders, and exchange employees.

The vulnerability affects all Chromium-based browsers and was patched across Chrome, Edge, and other Chromium derivatives in subsequent releases.

Affected Versions

Technical Details

CWE-843 (Access of Resource Using Incompatible Type / Type Confusion). In a type confusion vulnerability, the JavaScript engine incorrectly assumes an object is of one type when it is actually another. The V8 engine's JIT (Just-In-Time) compiler and optimizer make assumptions about object types for performance; if an attacker can cause the engine to process an object with a mismatched type, the engine reads or writes memory using the wrong layout, causing heap corruption.

Controlled heap corruption in V8 provides a powerful primitive: by carefully constructing JavaScript objects, an attacker can convert heap corruption into:

1. Arbitrary read — leaking memory addresses to defeat ASLR/heap randomization.
2. Arbitrary write — overwriting function pointers or JIT code to redirect execution.
3. Code execution within the renderer process (sandboxed).

A full exploit chain requires a second vulnerability (sandbox escape) to break out of Chrome's sandboxed renderer process and execute code on the host OS.

Discovery

Reported to Google by Microsoft Threat Intelligence Center (MSTIC) and Google Threat Analysis Group (TAG). Microsoft MSTIC attributed active exploitation to a North Korean threat actor — specifically Citrine Sleet (a subgroup overlapping with Lazarus Group / APT38 focus on financial and cryptocurrency targets) — as part of a campaign targeting cryptocurrency sector employees.

Exploitation Context

The North Korean threat actor Citrine Sleet used CVE-2024-7971 as part of a broader campaign targeting the cryptocurrency industry. The attack chain involved luring victims to attacker-controlled websites serving a malicious HTML/JavaScript page that triggered the V8 type confusion, followed by a Windows kernel sandbox escape. Successful exploitation resulted in deployment of the FudModule rootkit — a sophisticated kernel-level implant used by Lazarus Group-affiliated actors — enabling persistent, privileged access to compromised systems. Cryptocurrency developers, exchange employees, and DeFi protocol maintainers were among the targeted individuals.

Remediation

1. Update Chrome to 128.0.6613.84 (Linux) or .85 (Windows/Mac) or any later version.
2. Update Microsoft Edge, Opera, Brave, and any other Chromium-based browser to the corresponding patched release.
3. Enable automatic browser updates to ensure future zero-days are patched promptly.
4. Organizations should enforce a minimum browser version via policy and consider deploying browser isolation or remote browser isolation (RBI) for high-risk user populations (finance, cryptocurrency, executives).
5. For individuals at elevated risk of nation-state targeting: use enhanced Safe Browsing in Chrome, avoid clicking unsolicited links, and apply OS and browser updates immediately when released.