Google on Thursday released an emergency update for Chrome 107 to patch an actively exploited zero-day vulnerability.
The flaw, tracked as CVE-2022-3723, has been described as a type confusion issue affecting the V8 JavaScript engine.
“Google is aware of reports that an exploit for CVE-2022-3723 exists in the wild,” Google said.
The internet giant was informed about the zero-day vulnerability by cybersecurity firm Avast on October 25.
This is the seventh Chrome zero-day patched by Google this year and the second reported by Avast.
The previous exploited vulnerability discovered by Avast, CVE-2022-2294, was patched by Google in early July with a Chrome 103 update. A few weeks later, Avast revealed that it had linked exploitation of the security hole to Candiru, an Israeli spyware company.
CVE-2022-2294 had been used in targeted attacks aimed at entities in the Middle East, including journalists in Lebanon, with other targets spotted in Turkey, Yemen and Palestine. The Chrome zero-day was only exploited against high-value targets, to which the attackers delivered a sophisticated information stealer malware named DevilsTongue.
It’s worth noting that CVE-2022-2294 affects WebRTC, a component present in other Chromium-based browsers as well, including Edge and Safari. Microsoft and Apple both released patches at the time.
It’s unclear if the attacks exploiting the new CVE-2022-3723 are also related to the Candiru-linked operation. SecurityWeek has reached out to Avast and will share updates if more information comes to light.
Related: North Korea Gov Hackers Caught Sharing Chrome Zero-Day
Related: Federal Agencies Instructed to Patch New Chrome Zero-Day