Google has released out-of-band security updates to address a zero-day vulnerability in its Chrome browser.
Tracked as CVE-2023-4863, the flaw has been described as a WebP heap-based overflow issue that can lead to remote code execution.
The internet giant has yet to share additional details about the nature of attacks the bug has been exploited in, apart from saying that it is “aware that an exploit for CVE-2023-4863 exists in the wild.”
The company credited Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at The University of Toronto's Munk School for discovering and reporting the bug, which suggests that the Chrome exploit may be somehow related to a recently disclosed cyberespionage campaign involving a zero-click iMessage exploit chain named BLASTPASS that was used to deploy the infamous Pegasus spyware onto fully-patched iPhones (running iOS 16.6) via PassKit attachments with malicious images.
Chrome users are recommended to upgrade their web browser to version 116.0.5845.187 (Mac and Linux) and 116.0.5845.187/.188 (Windows) as soon as possible.
