Google fixed the third Chrome zero-day of 2023

Google released security updates to address a high-severity zero-day flaw in the Chrome web browser that it actively exploited in the wild.

Google released security updates to address a high-severity vulnerability, tracked as CVE-2023-3079, in its Chrome web browser. The vulnerability is a type confusion issue that resides in the V8 JavaScript engine. The IT giant is aware that the vulnerability is being actively exploited in the wild.

The vulnerability was discovered by Clement Lecigne of Google’s Threat Analysis Group (TAG), which is the team at Google that monitors the activity of nation-state actors.

The vulnerability has reported on June 1, 2023, it is likely that the flaw was exploited as part of an exploit used by a state-sponsored APT group.

Google did not disclose details of the attacks exploiting the vulnerability CVE-2023-3079.

“Google is aware that an exploit for CVE-2023-3079 exists in the wild.” reads the advisory published by the company. “The Stable and extended stable channels has been updated to 114.0.5735.106 for Mac and Linux and 114.0.5735.110 for Windows, which will roll out over the coming days/weeks.”

CVE-2023-3079 is the third actively exploited zero-day in Chrome addressed by Google in 2023, the other ones are:

• CVE-2023-2033 (CVSS score: 8.8) – Type Confusion in V8
• CVE-2023-2136 (CVSS score: 9.6) – Integer overflow in the Skia graphics library

All the above issues were reported by Clément Lecigne of Google’s Threat Analysis Group.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)