Google Rolls Out Emergency Patch for Ninth Zero-Day Chrome Vulnerability of 2022


Google is rolling out an emergency, out-of-band patch for another zero-day vulnerability in its flagship browser Chrome. Tracked as CVE-2022-4262, the vulnerability affects all browser versions on all platforms.

More importantly, the exploit for the vulnerability, a type confusion bug in Chrome’s V8 engine, exists in the wild. This is why patching the vulnerability, reported on November 29 by Clement Lecigne of Google’s Threat Analysis Group, should be prioritized.

Like the three other type confusion vulnerabilities found in Chrome in 2022, this one also threatens systems with vulnerable applications with out-of-bounds system memory access by threat actors.

“Details on the vulnerability and exploit have not been published yet, but ‘Type Confusion in V8′ vulnerabilities are related to the browser’s JavaScript engine,” Mike Walters, VP of vulnerability and threat research at Action1, told Spiceworks.

“It is very likely that this vulnerability allows remote code execution, which means that a threat actor could cause any script or malware payload to be executed on the victims’ device.”

The Center for Internet Security (CIS) noted that successful exploitation of CVE-2022-4262 can enable threat actors to arbitrarily execute code in the context of the logged-on user. A hacker can install programs, view, change, delete data, or create new accounts with full user rights.

Walters added, “In most cases, attackers exploit such vulnerabilities when users visit their malicious site. Then they steal data from the affected devices, or create botnets to perform distributed denial-of-service (DDoS) attacks, mine cryptocurrency or send spam.”

CVE-2022-4262 is the ninth zero-day vulnerability discovered and patched in 2022. It is also the fourth vulnerability in the V8 engine, which, besides Chrome, is used across most Chromium-based web browsers, including Brave, Opera, Vivaldi and Microsoft Edge.

See More: Google Accuses Spanish Security Firm of Developing Exploit Tools for  Chrome And Microsoft Defender 

All nine Chrome zero-day bugs are listed below:


Type Resides In CVSS Score Month of Patch Release
CVE-2022-0609Opens a new window Use-after-free Animation 8.8

March 2022

CVE-2022-1096Opens a new window

Type confusion V8 engine 8.8 March 2022
CVE-2022-1364Opens a new window Type confusion V8 engine 8.8

April 2022

CVE-2022-2294Opens a new window

Heap buffer overflow WebRTC 8.8 July 2022
CVE-2022-2856Opens a new window Insufficient validation of untrusted input Intents 6.5

August 2022

CVE-2022-3075Opens a new window

Insufficient data validation Mojo 9.6 September 2022
CVE-2022-3723Opens a new window Type confusion V8 engine 8.8

October 2022

CVE-2022-4135Opens a new window

Heap buffer overflow GPU component of Chrome 9.6 November 2022
CVE-2022-4262 Type confusion V8 engine NA

December 2022

CIS wrote in a blog postOpens a new window that the risk from CVE-2022-4262 is ‘high’ to large, medium, and small government entities and businesses and that it poses a ‘low’ risk to individuals/home users.

“Google will not give details about the vulnerability until most users’ browsers are updated, and rightly so. The severity of this vulnerability can hardly be overstated. That’s why we recommend that you update your Chrome browser as soon as possible.”

To update Chrome to version 108.0.5359.94, click on the three vertical ellipses in the top right corner. Go to Settings > About Chrome, where the browser automatically checks for updates. The application will prompt users to restart Chrome after updates are installed.

“It is worth noting that patching browsers can be problematic though, because people do not like rebooting their browsers, which is often required as part of an update. That’s why the best practice for organizations is to automate patching for third-party apps, including browsers, and ensure their IT teams can force reboots remotely in a way that is comfortable to end users,” Walters advised.

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Image source: Shutterstock