Google released an out-of-band security update on Friday to fix a high-severity vulnerability in its Chrome browser that is being actively exploited in the wild, according to the company.
In languages that are not memory safe, such as C and C++, type confusion errors, which occur when a resource (e.g., a variable or an object) is accessed using a type that is incompatible with what was originally initialized, could have serious consequences, allowing a malicious actor to perform out-of-bounds memory access.
According to MITRE’s Common Weakness Enumeration (CWE), “if the allocated buffer is smaller than the type that the function is attempting to access, it could read or write memory outside the confines of the buffer, resulting in a crash and possibly code execution.”
The company stated that it is aware that an exploit for CVE-2022-1096 exists in the wild, but declined to provide any details to avoid further exploitation, and until the majority of customers have been updated with a remedy.
CVE-2022-1096 is Google’s second zero-day vulnerability in Chrome since the beginning of the year; the first being CVE-2022-0609, a use-after-free flaw in the Animation component that was patched on February 14, 2022.
The zero-day weakness, identified as CVE-2022-1096, is a type of misunderstanding vulnerability in the V8 JavaScript engine.