Google released an out-of-band security update on Friday to patch a zero-day vulnerability actively exploited in its Chrome web browser.
The critical vulnerability identified as CVE-2022-4262 is a type of confusion flaw in the V8 JavaScript engine. On November 29, 2022, Clement Lecigne of Google’s Threat Analysis Group (TAG) is credited with reporting the issue.
Type confusion vulnerabilities could be exploited by threat actors to perform out-of-bounds memory access or to cause a system crash and arbitrary code execution.
According to the NIST’s National Vulnerability Database, “a remote attacker may exploit heap corruption via a specially crafted HTML page.”
Google acknowledged that the vulnerability was being actively exploited but refrained from disclosing additional information to prevent further abuse.
Google has addressed four actively exploited type confusion vulnerabilities in Chrome since the beginning of the year. It’s also the ninth zero-day vulnerability that attackers have exploited in 2022 –
- CVE-2022-0609 – Use-after-free in Animation
- CVE-2022-1096 – Type confusion in V8
- CVE-2022-1364 – Type confusion in V8
- CVE-2022-2294 – Heap buffer overflow in WebRTC
- CVE-2022-2856 – Insufficient validation of untrusted input in Intents
- CVE-2022-3075 – Insufficient data validation in Mojo
- CVE-2022-3723 – Type confusion in V8
- CVE-2022-4135 – Heap buffer overflow in GPU
Users are advised to upgrade to version 108.0.5359.94 for macOS and Linux, and version 108.0.5359.94/.95 for Windows, to mitigate potential security risks.
Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should also apply the updates as soon as they become available.
