On Friday Google released an emergency security update for a zero-day vulnerability in its popular Chrome desktop browser that it reported is being actively exploited. The flaw impacts Windows, macOS and Linux versions of the Google Chrome desktop browser prior to build version 112.0.5615.121.
The vulnerability, tracked as CVE-2023-2033, has a CVSS rating of high and is classified as a confusion flaw located in Chrome's V8 open-source JavaScript engine. NIST's description of the flaw describes exploitation of the flaw allowing "a remote attacker to potentially exploit heap corruption via a crafted HTML page."
“Google is aware that an exploit for CVE-2023-2033 exists in the wild,” Google explained.
There are few additional details regarding the bug, as specifics are “kept restricted until a majority of users are updated with a fix.”
A confusion vulnerability, according to MITRE, “can lead to out-of-bounds memory access” in languages (C and C++) without memory protection. Confusion vulnerabilities, in the context of Chrome V8 Javascript, occur when “the program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.”
The Friday patch update included a second security fix, however no CVE was provided for the second bug. Clément Lecigne of Google's Threat Analysis Group is credited for identifying the vulnerability (CVE-2023-2033), first spotted on April, 11.