A new zero-day flaw in Google’s Chrome web browser that has been actively exploited was fixed in an out-of-band security update on Friday.
A type confusion issue in the V8 JavaScript engine is the subject of the high-severity flaw, which is categorized as CVE-2022-4262. On November 29, 2022, the issue was reported by Google’s Threat Analysis Group (TAG) employee Clement Lecigne.
Threat actors could use type confusion vulnerabilities to gain access to memory that is out of bounds or cause a crash and arbitrary code execution.
As indicated by the NIST’s Public Weakness Data set, the defect allows a “distant assailant to possibly take advantage of store defilement through a created HTML page.”
Google acknowledged that the vulnerability was actively exploited, but it did not provide any additional details to stop further abuse.
CVE-2022-4262 is the fourth actively exploited type confusion flaw in Chrome that Google has addressed since the start of the year. It’s also the ninth zero-day flaw attackers have exploited in the wild in 2022 –
CVE-2022-0609 – Use-after-free in Animation
CVE-2022-1096 – Type confusion in V8
CVE-2022-1364 – Type confusion in V8
CVE-2022-2294 – Heap buffer overflow in WebRTC
CVE-2022-2856 – Insufficient validation of untrusted input in Intents
CVE-2022-3075 – Insufficient data validation in Mojo
CVE-2022-3723 – Type confusion in V8
CVE-2022-4135 – Heap buffer overflow in GPU
Users are recommended to upgrade to version 108.0.5359.94 for macOS and Linux and 108.0.5359.94/.95 for Windows to mitigate potential threats.
Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.