Zero-Day Vulnerabilities in Google Chrome in 2022

Zero-Day Vulnerabilities in Google Chrome in 2022

Google has announced 9 zero-day vulnerabilities for its Chrome browser in 2022.

Overview

In 2022, Google has fixed a total of 359 security flaws in its Google Chrome browser and 9 of these flaws were zero-day vulnerabilities that were actively exploited in the wild by the malicious actors.

Description

Google has released several updates during 2022, including the out-of-the-band patches, to address a total of 359 vulnerabilities that were published on the National Vulnerability Database (NVD). 189 of these vulnerabilities were discovered in the 01 Jul – 30 Sep 2022 period, while on average a 50 vulnerabilities were detected throughout the other quarters.

Periods in 2022Total Number of Vulnerabilities
01 Jan – 31 Mar50
01 Apr – 30 Jun47
01 Jul – 30 Sep189
01 Oct – 31 Dec73
Total359
Number of Detected Vulnerabilities by Quarters in 2022

What is at least as significant as the vast number of vulnerabilities that were detected in the Google Chrome Browser is the fact that 9 of these vulnerabilities were zero-days that were exploited in the wild. In other words, 9 of these flaws in the Google Chrome Browser were first identified and exploited by the malicious adversaries before they were detected and fixed by the Google.

The following table lists these zero-day vulnerabilities with their CVE identifiers, types and respective severity levels:

CVE IDTypeRelease DateSeverity
CVE-2022-0609Use After Free in Animation14/02/2022High
CVE-2022-1096Type Confusion in V825/03/2022High
CVE-2022-1364Type Confusion in V8 Turbofan14/04/2022High
CVE-2022-2294Heap Buffer Overflow in WebRTC04/07/2022High
CVE-2022-2856Insufficient Validation of Untrusted Input in Intents16/08/2022Medium
CVE-2022-3075Insufficient Data Validation in Mojo02/09/2022Critical
CVE-2022-3723Insufficient Validation of Untrusted Input in Intents27/10/2022High
CVE-2022-4135Heap Buffer Overflow in GPU24/11/2022Critical
CVE-2022-4262Type Confusion in V802/12/2022High
9 Google Chrome Zero-Day Vulnerabilities in 2022

Note that, these vulnerabilities originate from the Chromium Open Source Software Project which is consumed by Google Chrome as its core engine. As quite a number of other web browsers (such as Microsoft Edge, Opera, Brave, Vivaldi, Epic Browser, Iron Browser, Blisk, etc.) also depend on the Chromium as their core engines, these browsers also need to be updated to their most recent versions according to the specific vendor security advisories.

By their nature, browser vulnerabilities are more exposed to external attacks. In this regard, browsers need to be updated soon after the stable versions fixing the critical detected vulnerabilities become available. However, according to some research, on average the vulnerable browser versions are updated in 2 to 3 weeks by most of the organizations. On the other hand, the risk due to vulnerable browsers is of a less concern for the normal users since by default settings Chrome browser gets updated in the background when it is closed and reopened.

Impact

A use after free vulnerability (CVE-2022-0609) in Animation in Google Chrome prior to 98.0.4758.102 allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Impact Summary CVE-2022-0609

Category: Use After Free
CVSS 3.1 Base Score: 8.8
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

A Type Confusion vulnerability (CVE-2022-1096) in V8 in Google Chrome prior to 99.0.4844.84 allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Impact Summary CVE-2022-1096

Category: Type Confusion
CVSS 3.1 Base Score: 8.8
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

A Type Confusion vulnerability (CVE-2022-1364) in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Impact Summary CVE-2022-1364

Category: Type Confusion
CVSS 3.1 Base Score: 8.8
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

A Heap Buffer Overflow vulnerability (CVE-2022-2294) in WebRTC in Google Chrome prior to 103.0.5060.114 allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Impact Summary CVE-2022-2294

Category: Heap Buffer Overflow
CVSS 3.1 Base Score: 8.8
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

An Insufficient Validation of Untrusted Input vulnerability (CVE-2022-2856) in Intents in Google Chrome on Android prior to 104.0.5112.101 allows a remote attacker to arbitrarily browse to a malicious website via a crafted HTML page.

Impact Summary CVE-2022-2856

Category: Insufficient Validation of Untrusted Input
CVSS 3.1 Base Score: 6.5
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

An Insufficient Data Validation vulnerability (CVE-2022-3075) in Mojo in Google Chrome prior to 105.0.5195.102 allows a remote attacker to potentially perform a sandbox escape via a crafted HTML page through a compromised renderer process.

Impact Summary CVE-2022-3075

Category: Insufficient Data Validation
CVSS 3.1 Base Score: 9.6
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

An Insufficient Validation of Untrusted Input vulnerability (CVE-2022-3723) in Intents in Google Chrome on Android prior to 104.0.5112.101 allows a remote attacker to arbitrarily browse to a malicious website via a crafted HTML page.

Impact Summary CVE-2022-3723

Category: Insufficient Validation of Untrusted Input
CVSS 3.1 Base Score: 8.8
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

A Heap Buffer Overflow vulnerability (CVE-2022-4135) in GPU in Google Chrome prior to 107.0.5304.121 allows a remote attacker to potentially perform a sandbox escape via a crafted HTML page through a compromised renderer process.

Impact Summary CVE-2022-4135

Category: Heap Buffer Overflow
CVSS 3.1 Base Score: 9.6
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

A Type Confusion vulnerability (CVE-2022-4262) in V8 in Google Chrome prior to 108.0.5359.94 allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Impact Summary CVE-2022-4262

Category: Type Confusion
CVSS 3.1 Base Score: 8.8
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Solution (Update)

To defend against possible attacks due to these vulnerabilities, Google Chrome needs to be updated to the most stable version announced.

Normally, Chrome updates in the background when it is closed and reopened. However, if it has not been closed for a while, there might be pending updates. To check for pending updates, you can simply click More (Three vertical dots) on the top right of the Chrome browser.

Quote by Kevin Mitnick

You can never protect yourself 100%. What you do is protect yourself as much as possible and mitigate risk to an acceptable degree. You can never remove all risk.

Kevin Mitnick

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

References to Advisories, Solutions and Tools

To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?