Google LLC has begun rolling out an update for Chrome to fix a high-severity vulnerability that is being actively targeted by hackers.

The vulnerability is found in the Windows, Mac and Linux versions of Chrome, the search giant detailed in a blog post Friday. The update that Google’s engineers have created to fix the issue is set to roll out over the coming weeks.

The vulnerability was reported to Google on Aug. 30 by an anonymous cybersecurity researcher. It’s ranked as high severity, the second-highest risk level in the Common Vulnerability Scoring System, an industry-standard framework for measuring cybersecurity risk. The vulnerability is tracked as CVE-2022-3075.

To reduce the risk of cyberattacks, Google won’t disclose detailed technical information about the vulnerability until most Chrome users download the update. However, the search giant did share what component of Chrome is affected by the vulnerability.

Chrome is based on an open-source browser called Chromium that is also developed by Google. The vulnerability affects Mojo, a collection of runtime libraries included in Chromium. A runtime library is a piece of software on which another program, in this case Chrome, depends to work.

A program that is actively running on a computer is known as a process. To optimize Chrome’s reliability, Google has designed the browser to run every tab opened by the user in a separate process. Mojo, the component in which the newly disclosed vulnerability was found, is used to exchange data between Chrome’s processes.

Chrome relies on Mojo to carry out some of the computations involved in rendering web pages. The component is used for certain other tasks as well.

According to Google, the newly disclosed vulnerability is the result of “insufficient data validation” in Mojo. Data validation is a method of blocking attempts by hackers to enter malicious input into an application. If an application doesn’t perform data validation effectively, it may become susceptible to certain types of cyberattacks.

The security flaw is the latest in a series of Chrome vulnerabilities that Google has fixed since the beginning of the year. In April, the company issued a patch for another high-severity vulnerability that affected the browser’s V8 JavaScript engine. The engine is responsible for processing code written in the JavaScript programming language, which is widely used to power web pages.

Google’s disclosure of the latest Chrome vulnerability comes a few days after the company launched a new program to improve the security of Chromium and its other open-source projects. Through the program, Google will offer rewards for researchers who discover cybersecurity flaws in its open-source software.

The effort is one component of Google’s broader plan to invest $10 billion over the next five years in cybersecurity. As part of the effort, Google also plans to support third-party initiatives to address software vulnerabilities. The search giant will provide $100 million for foundations such as OpenSSF, which launched earlier this year to find and fix vulnerabilities in popular open-source projects.

Image: Google