Chrome releases security update to fix 0-day CVE-2022-2856 vulnerability
Google released a security bulletin to reveal the CVE-2022-2856 vulnerability, which is a major security threat to insufficient validation of untrusted input in Intents, Google has released an emergency security update to fix this vulnerability, the corresponding version number is Google Chrome 104.0.5112.101.
The security vulnerability, numbered CVE-2022-2856, was submitted by Ashley Shen and Christian Resell of Google Threat Analysis Group on 2022-07-19. According to Google, “Google is aware that an exploit for CVE-2022-2856 exists in the wild.”
At present, it is only known that this vulnerability is insufficient validation of untrusted input in Intents. Based on security considerations, Google will only disclose the full details of the vulnerability after most users update.
Also fixed this time are
- [$NA] Critical CVE-2022-2852: Use after free in FedCM. Reported by Sergei Glazunov of Google Project Zero on 2022-08-02
- [$7000] High CVE-2022-2854: Use after free in SwiftShader. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-06-18
- [$7000] High CVE-2022-2855: Use after free in ANGLE. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-07-16
- [$5000] High CVE-2022-2857: Use after free in Blink. Reported by Anonymous on 2022-06-21
- [$5000] High CVE-2022-2858: Use after free in Sign-In Flow. Reported by raven at KunLun lab on 2022-07-05
- [$NA] High CVE-2022-2853: Heap buffer overflow in Downloads. Reported by Sergei Glazunov of Google Project Zero on 2022-08-04
- [$3000] Medium CVE-2022-2859: Use after free in Chrome OS Shell. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-06-22
- [$2000] Medium CVE-2022-2860: Insufficient policy enforcement in Cookies. Reported by Axel Chong on 2022-07-18
- [$TBD] Medium CVE-2022-2861: Inappropriate implementation in Extensions API. Reported by Rong Jian of VRI on 2022-07-21