Google has released an emergency security update that fixes an emerging zero-day security vulnerability in Chrome. "Google is aware that a vulnerability in CVE-2023-4863 has been exploited externally," the company announced in a security advisory. "The issue, described as a heap buffer overflow, exists in the WebP image format."
A heap buffer overflow occurs when a program attempts to write more data to an allocated memory buffer than the buffer's actual design capacity. In some cases, this vulnerability could allow an attacker to execute arbitrary code, meaning they could run code of their choice on an affected system.
Apple's Security Engineering and Architecture (SEAR) and the University of Toronto's Munk School Citizen Lab discovered and reported this vulnerability on September 6, 2023. However, Google did not disclose the details of the vulnerability or provide information on how attackers could exploit it.
Chrome browser users are strongly recommended to update their browser to the latest version, which is 116.0.5845.187 for Mac and Linux and 116.0.5845.187.188 for Windows. This update is important because it resolves the CVE-2023-4863 vulnerability.
The new version is currently rolling out to users in the Stable and Extended Stable channels, and may be rolled out to all users in the coming days or weeks. The update was available for download when we checked for the new update via Chrome Menu > Help > About Google Chrome on Windows PC.
The latest vulnerability emerged after Google announced in August that it would release weekly security updates for stable Chrome browser users. The company said that if a security vulnerability is discovered to be actively exploited in the wild, it will promptly address it and release unscheduled patches for the Chrome browser.