CVE-2024-7965

HIGH KEV

Google Chrome < 128.0.6613.84 - Remote Code Execution via V8 Heap Corruption

Title source: llm

Exploitation Summary

CVE-2024-7965 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added August 28, 2024. EIP tracks 2 public exploits from researchers including bi-zone, XueDugu.

AI-analyzed exploit summary This PoC exploits a vulnerability in V8 on ARM64 devices, leveraging type confusion and out-of-bounds array access to achieve memory corruption. The code manipulates array indices and values to trigger the vulnerability, likely leading to arbitrary memory read/write.

Description

Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Exploits (2)

nomisec WORKING POC 48 stars

by bi-zone · client-side

https://github.com/bi-zone/CVE-2024-7965

View Code ZIP pw:eip

This PoC exploits a vulnerability in V8 on ARM64 devices, leveraging type confusion and out-of-bounds array access to achieve memory corruption. The code manipulates array indices and values to trigger the vulnerability, likely leading to arbitrary memory read/write.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Complex

Reliability

Theoretical

Target: V8 JavaScript Engine (ARM64)

No auth needed

Prerequisites: ARM64 architecture · Vulnerable version of V8

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by XueDugu · poc

https://github.com/XueDugu/cve-2024-7965-poc

View Code ZIP pw:eip

This PoC demonstrates a heap memory corruption vulnerability in Google Chrome's V8 JavaScript engine (CVE-2024-7965) on ARM64 devices. It manipulates array bounds and uses specific input conditions to trigger the vulnerability, potentially leading to arbitrary code execution.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Theoretical

Target: Google Chrome < 128.0.6613.84 (ARM64)

No auth needed

Prerequisites: Victim must visit a malicious webpage · Target device must be ARM64 architecture

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Release Notes

https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html

Permissions Required

https://issues.chromium.org/issues/356196918

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-7965

Scores

CVSS v3 8.8

EPSS 0.2280

EPSS Percentile 96.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2024-08-28

VulnCheck KEV 2024-08-21

InTheWild.io 2024-08-21

ENISA EUVD EUVD-2024-48798

CWE

CWE-358 CWE-787

Status published

Products (2)

google/chrome < 128.0.6613.84

microsoft/edge_chromium < 128.0.2739.42

Published Aug 21, 2024

KEV Added Aug 28, 2024

Tracked Since Feb 18, 2026