A zero-day security vulnerability in Google’s Chrome browser is being actively exploited in the wild.
The Internet behemoth released 11 security patches for Chrome this week, which are now being pushed out in stages to those with automatic updates enabled for Windows, Mac, and Linux; however, everyone can manually update now.
The zero-day (CVE-2022-2856) is rated as high severity and involves “insufficient validation of untrusted input in Intents,” according to Google’s advisory.
Intents, where the bug resides, are used by Chrome to process user input; if the browser doesn’t validate this input properly, an attacker is able to specially craft an input (say, a post in the comments section of a website) that’s not expected by the application.
“This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution,” according to MITRE.
Other details of the bug are scant — Google usually restricts details until a quorum of users have applied the updates.
Still, “Google is aware that an exploit for CVE-2022-2856 exists in the wild,” reads the alert, so users should patch now.
This is the fifth actively exploited zero-day vulnerability disclosed in Chrome in 2022. The previous four were: CVE-2022-0609 (February), CVE-2022-1096 (March), CVE-2022-1364 (April), and CVE-2022-2294 (July).