Google Chrome zero-day exploited in the wild (CVE-2022-4262)

Google has patched CVE-2022-4262, a type confusion vulnerability in the V8 JavaScript engine used by Google Chrome (and Chromium), which is being exploited by attackers in the wild.

No other technical details have been shared about this zero-day flaw, only that it was reported by security engineer Clement Lecigne of Google’s Threat Analysis Group (TAG), whose goal is to protect users from state-sponsored attacks and other advanced persistent threats.

About CVE-2022-4262

With a “High” security rating, CVE-2022-4262 ostensibly allows remote attackers to exploit heap (memory) corruption via a crafted HTML page.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Srinivas Sista, Technical program manager for Google Chrome, explained.

The fix – in the form of a browser update – is being rolled out right now. Users will get updated to v108.0.5359.94 (for Mac and Linux) and v108.0.5359.94/.95 (for Windows) if the update is available and they reboot their browser. Users can also trigger the update manually and should consider doing it.

The fix for this bug can also be found in the latest update for the Microsoft’s Edge browser (v108.0.1462.41), as it’s based on the open-source Chromium project. Users should update this browser as well.

Finally, CVE-2022-4262 has been added to CISA’s Known Exploited Vulnerabilities catalog, “a living list of known CVEs that carry significant risk to the federal enterprise.” This means that agencies of the US federal civilian executive branch are required to apply the patches by December 26, 2022.