Security news that informs and inspires

Google Patches Type Confusion Zero Day in Chrome


Google is warning of a zero-day vulnerability in its Chrome browser, which is being fixed in updates for Mac, Linux and Windows that will be pushed out in the coming days.

The high-severity vulnerability (CVE-2023-3079) exists in V8, Google’s open source JavaScript and WebAssembly engine. Like previous bugs found in V8, CVE-2023-3079 stems from a type confusion issue, which occurs when programs allocate a resource using one type but later access that resource using different, incompatible types.

According to the National Institute of Standards and Technology's National Vulnerability Database, the flaw “allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.”

In its Monday security advisory, Google said it is aware that an exploit exists in the wild for the vulnerability, which was reported by Clement Lecigne from Google’s Threat Analysis Group (TAG) on June 1.

Google is pushing out updated Chrome versions for Mac and Linux (114.0.5735.106) and Windows (114.0.5735.110) via its stable and extended stable channels. More details on the vulnerability and subsequent exploitation activity are currently not being disclosed, according to Srinivas Sista, technical program manager with Google Chrome, in Google’s advisory.

Researchers with Flashpoint said that recent changes in the V8 repository show that the vulnerability was addressed in the inline cache (IC) implementation.

“The KeyedStoreIC::StoreElementHandler() function in ic/ fails to properly handle JavaScript arguments objects,” according to Flashpoint researchers. “This may lead to an out-of-bounds write in the selected IC store handler.”

CVE-2023-3079 marks the third zero-day vulnerability fixed this year by Google. In April, Google issued an emergency Chrome update for an actively exploited integer overflow vulnerability that existed in Skia, an open-source graphics library that serves as the graphics engine for Chrome, ChromeOS and Android. That same month, Google also fixed another actively-exploited type confusion bug in V8. Google TAG’s Lecigne is credited with reporting all three zero-day vulnerabilities.