Google patches eleven vulnerabilities in Chrome, including zeroday with exploit

Google has released a patch for Chrome that fixes a zero day. A working exploit existed, but how often it has been exploited and what the bug actually entails is unknown.

Google has released update 104.0.5112.102/101 for Chrome for Windows and 104.0.5112.101 for macOS and Linux as a stable release. The company writes in a blog post that eleven vulnerabilities in the browser have been fixed. Six of these are use-after-freebugs in FedCm, SwiftShader, Angle, Blink, Shell, and Sign-in Flow. There is also incorrect policy enforcement in the Cookies functionality of the browser. The vulnerabilities were suggested by third-party security researchers and in two cases by Google’s own Project Zero security department.

One of the bugs, CVE-2022-2856, is a zero day. “Google is aware that an exploit of CVE-2022-2856 exists in the wild,” the company wrote, but did not provide details. It is not known whether that exploit is actually being abused and in how many cases this is the case. Details about the vulnerability are sketchy; Google calls it an insufficient validation of untrusted input in Intents, but gives no further details about it. The vulnerability was found by an employee of Google’s own Threat Analysis Group, a separate security division.