Google has released an update for Chrome on the desktop and Android that fixes a high-risk vulnerability that has been exploited in the wild.
The vulnerability (CVE-2022-4135) is a heap buffer overflow in Chrome’s GPU and could allow an attacker to execute arbitrary code on a target device. This is the eighth vulnerability that has been actively exploited in Chrome that Google has patched this year.
“Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page,” the bug description says.
The bug is in all versions of Chrome prior to 107.0.5304.121, and it affects both desktop and Android versions. Clement Lecigne of Google’s Threat Analysis Group reported this vulnerability, which lends some context to the discovery of an in-the-wild exploit. TAG is Google’s in-house team that tracks state-backed actors and APT groups and works to disrupt their operations. The group often identifies threat actors using exploits for zero days in the wild, and this is the third Chrome zero day that Lecigne has reported in 2022, along with a zero day in Internet Explorer.
It has been another busy year for researchers identifying exploits used in the wild for zero day vulnerabilities. In 2021, there were 68 such vulnerabilities reported publicly, and so far in 2022 there have been at least 33, according to data compiled by Google Project Zero researcher Maddie Stone.
Organizations that deploy Chrome on the desktop and/or on Android devices should update to the latest version as soon as possible.