Google issued a software update to fix yet another zero-day flaw in its Chrome web browser. CVE-2022-4135 is identified as a high severity vulnerability.
The aforementioned Zero-Day Flaw is identified as CVE-2022-4135, which is defined as a heap buffer overflow in the GPU component and categorized as a high-severity vulnerability. Clement Lecigne, a member of Google’s Threat Analysis Group (TAG), disclosed the new vulnerability on November 22, 2022.
A heap-based overflow can be exploited and used as a weapon, as per TheHackerNews:
“Heap-based buffer overflow bugs can be weaponized by threat actors to crash a program or execute arbitrary code, leading to unintended behavior.”
Google has indicated that the vulnerability is known to them: “Google is aware that an attack for CVE-2022-4135 exists in the wild.”
This year, Google has patched many zero-day vulnerabilities in Chrome:
- CVE-2022-0609 – Use-after-free in Animation
- CVE-2022-1096 – Type confusion in V8
- CVE-2022-1364 – Type confusion in V8
- CVE-2022-2294 – Heap buffer overflow in WebRTC
- CVE-2022-2856 – Insufficient validation of untrusted input in Intents
- CVE-2022-3075 – Insufficient data validation in Mojo
- CVE-2022-3723 – Type confusion in V8
To minimize possible risks, users are advised to upgrade to version 107.0.5304.121 for macOS and Linux, and 107.0.5304.121/.122 for Windows. Also, users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also expected to apply the patches.