Google has released an update for Chrome to address a previously undisclosed or zero-day flaw that is under attack.
According to Google, the high-severity flaw, which is tracked as CVE-2022-4135, is due to a memory-related “heap buffer overflow in GPU”.
“Google is aware that an exploit for CVE-2022-4135 exists in the wild,” Google says in its advisory.
The issue was was reported on 22 November by Clement Lecigne, a researcher with Google’s Threat Analysis Group.
Google is rolling out the fix in the coming days or weeks via the Stable channel release of Chrome, which has now been updated to 107.0.5304.121 for Mac and Linux, and 107.0.5304.121/.122 for Windows.
Google is keeping details of the bug restricted until the majority of users are updated with the fix.
The NIST’s National Vulnerability Database, however, has a more detailed description of CVE-2022-4135, which helps explain why it’s a high-severity flaw: a remote attacker can escape the Chrome sandbox by luring a target to a web page crafted in a way to exploit the graphics renderer process.
“Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page,” NIST notes.
According to Bleepingcomputer, it’s the eighth actively exploited zero day in Chrome that Google has patched this year. Google’s Project Zero zero-day tracker, however, only counts seven Chrome zero days this year as it’s missing CVE-2022-3075, which it patched on September 2.
By far, the most common category of flaws affecting Chrome on the zero-day tracker are memory corruption issues. Google is trying to harden Chrome’s giant C++ code base against memory security flaws with heap scanning and MicarclPtr. In general, memory flaws account for 70% of high-severity bugs in Chrome. Both hardening techniques create an overhead on performance.
Even though the flaw is likely being used in targeted attacks, Chrome users should install the update, which was available today when ZDNet checked.
Disclaimer : OneNewsTech.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us – firstname.lastname@example.org. The content will be deleted within 24 hours.