CVE-2024-7971

CRITICAL KEV

Google Chrome < 128.0.6613.84 - Type Confusion in V8 via Crafted HTML Page

Title source: llm

Exploitation Summary

CVE-2024-7971 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added August 26, 2024. EIP tracks 1 public exploit from researchers including mistymntncop.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2024-7971, targeting a vulnerability in V8's WebAssembly implementation. The PoC demonstrates a type confusion issue in Liftoff, V8's baseline WebAssembly compiler, by manipulating operand stack states during loop compilation.

Description

Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Exploits (1)

nomisec WORKING POC 34 stars

by mistymntncop · client-side

https://github.com/mistymntncop/CVE-2024-7971

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2024-7971, targeting a vulnerability in V8's WebAssembly implementation. The PoC demonstrates a type confusion issue in Liftoff, V8's baseline WebAssembly compiler, by manipulating operand stack states during loop compilation.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: V8 (Chromium) with WebAssembly support, specifically versions affected by CVE-2024-7971

No auth needed

Prerequisites: Access to a vulnerable version of V8/Chromium · Ability to execute JavaScript with specific flags (e.g., --expose-gc, --liftoff-only)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Release Notes

https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html

Permissions Required

https://issues.chromium.org/issues/360700873

Exploit, Patch, Third Party Advisory, Vendor Advisory

https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-7971

Scores

CVSS v3 9.6

EPSS 0.1927

EPSS Percentile 97.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2024-08-26

VulnCheck KEV 2024-08-21

InTheWild.io 2024-08-21

ENISA EUVD EUVD-2024-48804

CWE

CWE-843

Status published

Products (2)

google/chrome < 128.0.6613.84

microsoft/edge < 128.0.2739.42

Published Aug 21, 2024

KEV Added Aug 26, 2024

Tracked Since Feb 18, 2026