The latest Google Chrome update patches multiple high-severity vulnerabilities in the browser, the company has revealed.
In total, Google fixed seven vulnerabilities, including four labeled as high-severity: CVE-2022-2007 (Use-After-Free (UAF) vulnerability in WebGPU), CVE-2022-2008 (out-of-bounds memory access vulnerability in WebGL), CVE-2022-2010 (out-of-bounds read vulnerability in Chrome’s compositing component), and CVE-2022-2011 (UAF vulnerability in ANGLE).
Google is keeping quiet on how threat actors might leverage these vulnerabilities until the majority of users patch up, so details are relatively scarce. Still, the U.S. Cybersecurity & Infrastructure Agency (CISA) published a short advisory following the release of the patch, urging users to patch up their endpoints (opens in new tab) immediately, as the flaws could be abused “to take control of an affected system.”
Version 102.0.5005.115 was officially released on Thursday, June 9, for Windows, Mac, and Linux, with the update set to roll out automatically to all users over the coming weeks.
Bounty hunters
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” Google said.
CVE-2022-2010 was uncovered by Google’s Project Zero research team, ZDNet finds, while the others were discovered by independent security researchers. According to the publication, CVE-2022-2007 has earned security researcher David Manouchehri a $10,000 reward, while the names of the people who discovered CVE-2022-2008 and CVE-2022-2011 have not yet been published.
“We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel,” said Google.
Chrome is currently the world’s number one browser, with more than 2.6 billion users worldwide.