Google on Friday released out-of-band updates to resolve an actively exploited zero-day flaw in its Chrome web browser, making it the first such bug to be addressed since the beginning of the year.
“Type confusion in V8 in Google Chrome before 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” according in NIST’s National Vulnerability Database (NVD).
The tech giant recognized that “an exploit for CVE-2023-2033 exists in the wild,” but stopped short of sharing additional technical details or indicators of compromise (IoCs) to prevent further exploitation by threat actors.
CVE-2023-2033 also appears to have similarities to CVE-2022-1096, CVE-2022-1364, CVE-2022-3723, and CVE-2022-4262 – four other actively exploited type confusion flaws with the V8 fixed by Google in 2022.
Google shut down a total of nine zero days on Chrome last year. The development comes days after Citizen Lab and Microsoft disclosed the exploitation of a now-covered flaw in Apple iOS by customers of an obscure spyware vendor named QuaDream to target journalists, opposition figures in politics, and an NGO worker in 2021.
Users are recommended to upgrade to version 112.0.5615.121 for Windows, macOS, and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply fixes when they become available.