Google has released emergency patches to close a security hole it says is being actively exploited in the wild in its Chrome web browser.
According to the company, the Stable channel has been updated to version 107.0.5304.121 for Mac and Linux, and to version 107.0.5304.121/.122 for Windows. These updates will roll out to all users in the coming days or weeks.
The security vulnerability addressed by the latest update is CVE-2022-4135, a very serious heap buffer overflow weakness in the GPU.
Google credited Clement Lecigne of its Threat Analysis Group with discovering the flaw on November 22, 2022.
Google says it is aware of an exploit for CVE-2022-4135 that exists in the wild. However, the company did not provide technical details about how the vulnerability was used in attacks or the threat actors that may have weaponized it.
Until a patch is available for the vast majority of users, access to bug information and links may remain limited, the company said.
“We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but have not yet been fixed,” it added.
Attacks targeting heap buffer overflow bugs in Chrome’s GPU could lead to unrestricted information access or arbitrary code execution. Malicious people can use such vulnerabilities to install unwanted software on PCs.
Install last Chrome updateusers need to go to Settings -> About Chrome -> Wait for the latest version to finish downloading and -> Restart the program.
CVE-2022-41 is the eighth zero-day Chrome bug exploited by malicious actors in attacks this year.
The previous seven zero days are:
CVE-2022-3075, which was addressed in September, was described as an insufficient data validation issue in Mojo, a collection of runtime libraries that provide a cross-platform mechanism for inter-process communication (IPC).
Sophisticated hackers usually take advantage of zero-day bugs and deploy them in highly targeted attacks.
To prevent abuse, all Chrome users should upgrade their web browsers as soon as the makers release updates.