Google has released an update for Chrome to address a previously undisclosed or zero-day flaw that is under attack.
According to Google, the high-severity flaw, which is tracked as CVE-2022-4135, is due to a memory-related “heap buffer overflow in GPU”.
“Google is aware that an exploit for CVE-2022-4135 exists in the wild,” Google says in its advisory.
The issue was was reported on 22 November by Clement Lecigne, a researcher with Google’s Threat Analysis Group.
Google is rolling out the fix in the coming days or weeks via the Stable channel release of Chrome, which has now been updated to 107.0.5304.121 for Mac and Linux, and 107.0.5304.121/.122 for Windows.
Google is keeping details of the bug restricted until the majority of users are updated with the fix.
The NIST’s National Vulnerability Database, however, has a more detailed description of CVE-2022-4135, which helps explain why it’s a high-severity flaw: a remote attacker can escape the Chrome sandbox by luring a target to a web page crafted in a way to exploit the security issue in the graphics renderer process.
“Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page,” NIST notes.
According to Bleepingcomputer, it’s the eighth actively exploited zero day in Chrome that Google has patched this year. Google’s Project Zero zero-day tracker, however, only counts seven Chrome zero days this year as it’s missing CVE-2022-3075, which it patched on September 2.
By far, the most common category of flaws affecting Chrome on the zero-day tracker are memory corruption issues. Google is trying to harden Chrome’s giant C++ code base against memory security flaws with heap scanning and MicarclPtr. In general, memory flaws account for 70% of high-severity bugs in Chrome. Both hardening techniques create an overhead on performance.
Even though the flaw is likely being used in targeted attacks, Chrome users should install the update, which was available today when ZDNet checked.