Security News > 2022 > March > Google Chrome Bug Actively Exploited as Zero-Day

Google Chrome Bug Actively Exploited as Zero-Day
2022-03-30 16:14

Google has updated its Stable channel for the desktop version of Chrome, to address a zero-day security vulnerability that's being actively exploited in the wild.

The bug, tracked as CVE-2022-1096, is a type-confusion issue in the V8 JavaScript engine, which is an open-source engine used by Chrome and Chromium-based web browsers.

Type confusion, as Microsoft has laid out in the past, occurs "When a piece of code doesn't verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusionAlso with type confusion, wrong function pointers or data are fed into the wrong piece of code. In some circumstances this can lead to code execution."

Google didn't provide additional technical details, as is its wont, but did say that it was "Aware that an exploit for CVE-2022-1096 exists in the wild." An anonymous researcher was credited with finding the issue, which is labeled "High-severity".

"The vulnerability was only reported on the 23rd of March, and while Google's Chrome team do tend to be fairly prompt in developing, testing and rolling patches, the idea of a patch for software deployed as widely deployed as Chrome in 48 hours is something is continue to be impressed by," he said.

CVE-2021-21148 - Feb. 4, an unnamed type of bug in V8. CVE-2021-21224 - April 20, an issue with type confusion in V8 that could have allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.


News URL

https://threatpost.com/google-chrome-bug-actively-exploited-zero-day/179161/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-07-23 CVE-2022-1096 Type Confusion vulnerability in Google Chrome
Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
network
low complexity
google CWE-843
8.8
2021-04-26 CVE-2021-21224 Type Confusion vulnerability in multiple products
Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
network
low complexity
google debian fedoraproject CWE-843
8.8
2021-02-09 CVE-2021-21148 Out-of-bounds Write vulnerability in multiple products
Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.150 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
network
low complexity
google fedoraproject debian CWE-787
8.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Google 102 256 4320 4678 741 9995