A serious security flaw in Google Chrome, which was discovered under active exploitation in the wild, is a new addition to the Cybersecurity and Infrastructure Agency’s Known Exploited vulnerabilities catalog. Credit: Shutterstock A vulnerability in an open source video codec used by a host of major browsers represents a serious security threat, the US Cybersecurity and Infrastructure Agency (CISA) says. The flaw affects web browsers that use the libvpx media library, a joint project between Google and the Alliance for Open Media. It received a common vulnerability rating of 8.8 on the CVSS v3 scale, meaning that it is characterized by experts as a "high" severity threat. A CISA announcement Monday said that there is evidence of the flaw being actively exploited, making this a zero-day threat. The vulnerability enables a type of buffer overflow attack, according to CISA. What this means is that, at some stage, the size of the memory buffer used to handle inputs isn't set correctly, allowing a bad actor to craft a malicious input much larger than the buffer, which won't be processed correctly, and could lead to a range of consequences. Buffer or heap overflow is a common target for malicious hackers, given the wide applicability of the technique. In this case, and in keeping with the exploit's high severity score, the flaw may enable remote code execution, letting attackers deliver dangerous payloads onto vulnerable systems. "If you're really clever, you can craft an exploit that gets into system memory," said Christopher Rodriguez, a research director at IDC. "If it were a lower level [exploit], it might be limited to what parts of memory it can touch ... maybe crash an application." Patches have been issued by the companies behind most major browsers that run Chromium, including Google Chrome and Microsoft Edge. The libvpx codec is also present in Firefox, which has also been patched. Its severity means that organizations must stay on top of patching in order to avoid potentially serious consequences. (The CISA notice gives federal civilian agencies until October 23 to fully protect themselves against the flaw.) "The browser's so powerful these days," said Rodriguez. "So many applications work over the web, including SaaS and [business applications] designed for remote workers. Even sensitive data that goes into your personal browser can be an issue." Rodriguez also urged the adoption of endpoint security measures to help defend against this type of zero-day attack. Related content news Is China waging a cyber war with Taiwan? Nation-state hacking groups based in China have sharply ramped up cyberattacks against Taiwan this year, according to multiple reports. By Gagandeep Kaur Dec 01, 2023 4 mins Cyberattacks Government news Apple patches info-stealing, zero day bugs in iPads and Macs The vulnerabilities that can allow the leaking of sensitive information and enable arbitrary code execution have had exploitations in the wild. By Shweta Sharma Dec 01, 2023 3 mins Zero-day vulnerability feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff Dec 01, 2023 6 mins Technology Industry IT Skills Events news Conti-linked ransomware takes in $107 million in ransoms: Report A ransomware campaign linked to the ostensibly defunct Conti malware group has targeted mostly US businesses, in a costly series of attacks. By Jon Gold Nov 30, 2023 4 mins Ransomware Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe