Google is warning of a zero-day vulnerability in its Chrome browser, which is being fixed in updates for Mac, Linux and Windows that will be pushed out in the coming days.
According to the National Institute of Standards and Technology's National Vulnerability Database, the flaw “allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.”
In its Monday security advisory, Google said it is aware that an exploit exists in the wild for the vulnerability, which was reported by Clement Lecigne from Google’s Threat Analysis Group (TAG) on June 1.
Google is pushing out updated Chrome versions for Mac and Linux (114.0.5735.106) and Windows (114.0.5735.110) via its stable and extended stable channels. More details on the vulnerability and subsequent exploitation activity are currently not being disclosed, according to Srinivas Sista, technical program manager with Google Chrome, in Google’s advisory.
Researchers with Flashpoint said that recent changes in the V8 repository show that the vulnerability was addressed in the inline cache (IC) implementation.
CVE-2023-3079 marks the third zero-day vulnerability fixed this year by Google. In April, Google issued an emergency Chrome update for an actively exploited integer overflow vulnerability that existed in Skia, an open-source graphics library that serves as the graphics engine for Chrome, ChromeOS and Android. That same month, Google also fixed another actively-exploited type confusion bug in V8. Google TAG’s Lecigne is credited with reporting all three zero-day vulnerabilities.