Google has released an emergency patch for a security flaw found in the open-source V8 JavaScript engine that is being actively exploited in the wild. The vulnerability applies to Google’s Stable channel for the desktop version of Chrome. The bug is being tracked as CVE-2022-1096 and is a type-confusion issue. Type confusion occurs when a piece of code does not verify the type of object that is passed to it, and uses it without type-checking. This leads to engine confusion, in which wrong function data is fed into the wrong piece of code. If exploited by an attacker, this could lead to code execution.
Although Google did not provide additional technical details, it did clarify that it was aware then an exploit for the flaw exists in the wild. An anonymous researcher was credited with discovering and reporting the issue. Although the flaw has not been assigned a CVSS severity score, Google referred to it as “high severity.” Users are encouraged to implement the emergency fix and remain updated on the situation as more details emerge.