Google has released an update for Chrome to fix previously undisclosed or zero-day bugs that are under attack.
According to Google, the high-severity flaw, which is tracked as CVE-2022-4135, is caused by a memory-related “heap buffer overflow on the GPU.”
“Google is aware that an exploit for CVE-2022-4135 exists in the wild,” Google said in its advisory.
The issue was reported on November 22 by Clement Lessigne, a researcher in Google’s Threat Analysis Group.
Also: Ransomware: Why it’s still a big threat, and where the gangs are going next
Google is rolling out the fix in the coming days or weeks via Chrome’s stable channel release, which is now updated to 107.0.5304.121 for Mac and Linux and 107.0.5304.121/.122 for Windows.
Google is keeping details of the bug limited until most users update with a fix.
NIST’s National Vulnerability Database, however, has more details on CVE-2022-4135, which helps explain why it’s a high-severity flaw: A remote attacker could escape the Chrome sandbox by luring a target to create graphics on a web page. Ways to use the renderer process.
“Heap buffer overflow on GPU in Google Chrome before 107.0.5304.121 allowed a remote attacker who compromised the renderer process to potentially escape a sandbox via a crafted HTML page,” NIST notes.
According to Bleeping Computer, this is the eighth actively exploited zero day in Chrome that Google has patched this year. Google’s Project Zero zero-day tracker, however, has counted only seven Chrome zero days this year because it is missing CVE-2022-3075, which it patched on September 2.
By far, the most common category of errors affecting Chrome in the zero-day tracker are memory corruption issues. Google is trying to harden Chrome’s massive C++ code base against memory safety flaws with heap scanning and MicarclPtr. In general, memory errors account for 70% of Chrome’s high-severity bugs Both hardening techniques create an overhead on performance.
While the flaw is likely being used in targeted attacks, Chrome users should install the update, which was available at the time ZDNet checked.