Google has released a Chrome security update that fixes 11 vulnerabilities, including a zero-day that the company said was under active exploitation. The flaw is an insufficient validation of untrusted input in mojo, creating a path to arbitrary code execution via a crafted HTML page.
The patch landed in Chrome’s stable channel on Sept. 6, with Google warning that an exploit for the vulnerability existed in the wild. The bug stood out not just because it was Chrome’s fifth zero-day patched in 2023, but because the flaw was in Mojo, a core component of the browser. That meant the risk extended to other Chromium-based software.
For users and defenders, the immediate concern was straightforward: malicious content could trigger the flaw simply by being rendered. In practical terms, visiting a booby-trapped site containing a crafted HTML page could be enough to compromise a target system. Browser zero-days are already high-priority patch items, but bugs in core components like this one tend to widen the blast radius across vendors and platforms.
Organizations should treat the issue as more than a single Chrome patch cycle. Asset owners need to verify that Chrome is updated, then identify other Chromium-based software in their environment that may also be affected. For individual users, enabling automatic updates and keeping browsers, operating systems, and security tools current remains the fastest way to reduce exposure. Users on untrusted networks may also want to pair patching with basic protections such as a VPN, though the patch itself is the primary fix.
