Google released an emergency update this week that addressed two vulnerabilities in its Chrome web browser, including a type confusion flaw that has already been exploited in the wild.
In the update, Google stated that they are aware of an attack for CVE-2022-1364. Details won’t be revealed until the majority of Chrome users on Windows, Linux, and Mac have upgraded to version 100.0.4896.127.
Chromium-based browsers, such as Microsoft Edge, Brave, and Vivaldi, are reported to be affected by the said incident.
The second issue that has been resolved looks to be related to internal problems. “Various fixes from internal audits, fuzzing, and other initiatives,” according to the notice.
The JavaScript and WebAssembly engines in the browser are affected by the type misunderstanding vulnerability (CVE-2022-1364). Software with this fault will allocate a resource (such as a pointer or object) with one type and then try to access the resource with another type. The flaw can be used to cause the browser to crash, generate logical errors, or even execute arbitrary code.
This is Chrome’s third emergency update in 2022, and the year’s third zero-day vulnerability. In March, Google (together with Microsoft) patched a major issue in the Chromium v8 JavaScript engine that was being actively exploited (CVE-2022-1096).