CVE-2022-4262: New Chrome 0-Day Bug Under Active Attack

Google on Friday released software updates to address the 9th zero-day vulnerability of the year in its Chrome web browser.

Tracked as CVE-2022-4262, the high-severity vulnerability has been described as a Type Confusion in the V8 JavaScript engine. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. Clement Lecigne of Google’s Threat Analysis Group (TAG) has been credited with reporting the flaw on November 29, 2022.

At present, it is only known that this vulnerability is a Type Confusion in V8. According to MITRE’s Common Weakness Enumeration, Type confusion errors arise when”The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.” Type Confusion bug allows an attacker to perform out-of-bounds memory access.

“Google is aware that an exploit for CVE-2022-4262 exists in the wild,” the tech giant acknowledged in an advisory.

Based on security considerations, Google will only disclose the full details of the vulnerability after most users update. Often such vulnerabilities can be used to execute arbitrary code or escape the browser’s security sandbox, and interested researchers can wait for subsequent Google disclosures.

To ensure security, Google has released an emergency security update to fix this vulnerability, the corresponding version number is Google Chrome 108.0.5359.94 for Mac and Linux and 108.0.5359.94/.95 for Windows. Users are recommended to upgrade to the latest Google Chrome version for Windows, Mac, and Linux to mitigate potential threats.

Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the patch as and when it becomes available.