Google Patches Chrome Browser Zero-Day Bug, Under Attack

Google patches zero-day bug tied to memory corruptions found inside the Chrome browser’s open-source JavaScript and Web Assembly engine, called V8.

Google said Monday it has patched a Chrome web browser zero-day bug being actively exploited in the wild. The flaw affects versions of Chrome running on the Windows, macOS and Linux platforms.

The zero-day vulnerability, tracked as CVE-2020-6418, is a type of confusion bug and has a severity rating of high. Google said the flaw impacts versions of Chrome released before version 80.0.3987.122. The bug is tied to Chrome’s open-source JavaScript and Web Assembly engine, called V8.

Technical details of CVE-2020-6418 are being withheld pending patch deployment to a majority of affected versions of the Chrome browser, according to Google. Generally speaking, memory corruption vulnerabilities occur when memory is altered without explicit data assignments triggering programming errors, which enable an adversary to execute arbitrary code on targeted devices.

In the context web browser engines, a similar memory corruption bug exploited by adversaries earlier this month, enticed victims to visit a specially-crafted web site booby-trapped with and an exploit that took advantage of a browser memory corruption flaw to execute code remotely.

Credited for finding the bug is Google’s Threat Analysis Group and researcher Clément Lecigne.

Google is also warning users of two additional high-severity vulnerabilities. One, tracked as CVE-2020-6407, is an “out of bounds memory access in streams” bug. The other bug, which does not have a CVE assignment, is a flaw tied to an integer overflow in ICU, a flaw commonly associated with triggering a denial of service and possibly to code execution.

Mitigation includes Windows, Linux, and macOS users download and install the latest version of Chrome.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.


  • Vsn.Vinay Kumar.Durgi on

    Hi there, i use chrome often and I am currently running a version of .3987.87 than an updated and a latest version "3987.119" which is available on my Play store. Due to latest updates of different apps unavailable even on the websites when I search for on Google or play store or it could be something like the updates are getting installed but they are actually running an old version of the app in the back ground. Also my phone device Mac id seems to be the same as I have seen the same Mac being displayed for different devices that I have used, and this is happening even with the brand new devices too. I haven't taken a back up of the complete hardware information right after purchase which seems a flaw from my end, but getting back the original MAC address of the device has become a task for me since I am left with one option of contacting the device manufacturer for the complete company shipped hardware details. Can you see any relation in these findings or can any one suggest the best available options to get my phone device secured and in getting the original Mac id apart from contacting the device manufacturer and also that the complete device restoration to original settings too failed. I don't have a laptop to venture out much but you can say I am at professional level in understanding my current issue and the shared content and suggestions. Any suggestions or sharing similar incidents would be of help and appreciated. VSN.Vinay Kumar.Durgi

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.