Google has issued urgent patches for a quartet of Chrome vulnerabilities, including a zero-day type confusion bug already exploited by attackers.
A stable channel update, published Wednesday, detailed four bugs discovered by non-Chrome researchers, with the zero-day discovered just the day before patching.
The type-confusion bug in the open source V8 JavaScript engine for the Chrome browser will cause the most concern of the four, with Google aware that an exploit exists in the wild.
V8 issues
The advisory is scant on detail, but reveals the bug was flagged by the Google Threat Analysis Group (TAG), which is dedicated to countering “government-backed hacking and attacks”.
Type confusion bugs occur when the affected product attempts to access a resource using an incompatible type, leading to logical errors that can enable out-of-bounds memory access in languages without memory safety.
While V8 does not have memory safety, out-of-bounds access should be limited in this case thanks to the V8 Sandbox feature released in April 2024 to address the proliferation of memory corruption issues in Chrome.
Data shared by Google showed all Chrome exploits seen in the wild between 2021 and 2023 began with a memory corruption vulnerability.
V8 is no stranger to the issue itself, with 2022 type confusion bug CVE-2022-1096 also exploited in the wild.
Other vulns fixed
The other three vulns disclosed in Wednesday’s stable channel update (affecting the most widely-used version of Chrome) include use-after-free bugs in WebGPU implementation Dawn and real-time communication tool WebRTC.
They were disclosed by third-party researchers Giunash (Gyujeong Jin) and sherkito, who received $15,000 and $10,000 respectively through the Chrome Vulnerability Reward Program.
A heap buffer overflow issue, which can be used to execute arbitrary code, was also patched in default WebGL backend ANGLE after discovery by Google’s cybersecurity LLM Big Sleep.
The link has been copied!
