Google has patched three high-severity flaws in the latest release of its Chrome browser, including one zero-day vulnerability that is being actively exploited in the wild.
Most noteworthy is a fix for CVE-2023-5217, described as a heap buffer overflow issue in the VP8 encoding of open source libvpx video codec library.
No other details were available on the official Google Chrome update page. The bug was reported by researcher from Google TAG The quick turnaround time for a patch signifies the criticality of the bug.
That was confirmed by TAG researcher, Maddie Stone, who said the vulnerability is “in use by a commercial surveillance vendor.”
It’s unclear exactly who that vendor is referred to at this stage, but there has been a spate of zero-day discoveries of late tied back to commercial spyware makers.
The remaining two high-severity bugs fixed in this Chrome update are CVE-2023-5186, a use-after-free flaw in Passwords, and CVE-2023-5187, a use-after-free bug in Extensions.
Google Chrome 117.0.5938.132 is currently rolling out worldwide to Windows, Mac and Linux users in the Stable desktop channel.
This is the fifth actively exploited zero-day vulnerability in Chrome addressed by Google this year, the other ones are:
- CVE-2023-2033 – Type Confusion in V8
- CVE-2023-2136 – Integer overflow in the Skia graphics library
- CVE-2023-3079 – Type Confusion in V8
- CVE-2023-4863 – Heap buffer overflow in WebP