Google released a security bulletin to reveal the CVE-2022-1364 vulnerability, which is a major security threat to Type Confusion in V8. To ensure security, Google has released an emergency security update to fix this vulnerability, the corresponding version number is Google Chrome 100.0.4896.127
The security vulnerability, numbered CVE-2022-1364, was submitted by Clément Lecigne of Google’s Threat Analysis Group and the vulnerability was discovered on April 13.
According to Google, “Google is aware that an exploit for CVE-2022-1364 exists in the wild.“ At present, it is only known that this vulnerability is a Type Confusion in V8. According to MITRE’s Common Weakness Enumeration, Type confusion errors arise when”The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.” Type Confusion bug allows an attacker to perform out-of-bounds memory access.
Based on security considerations, Google will only disclose the full details of the vulnerability after most users update. Often such vulnerabilities can be used to execute arbitrary code or escape the browser’s security sandbox, and interested researchers can wait for subsequent Google disclosures.
CVE-2022-1364 is the third zero-day vulnerability addressed by Google in Chrome since the start of the year, the first being CVE-2022-0609, a use-after-free vulnerability in the Animation component that was patched on February 14, the second being CVE-2022-1096, a Type Confusion in V8 that fixed on March 25, 2022.
Users of Google Chrome can go to the About page of the settings, where they can see the current version number and can automatically check the latest version. If the user deploys the online installation package, it can be updated automatically. If the user deploys the offline installation package, the user needs to manually
download the new version to upgrade.
