Multiple vulnerabilities in Google Chrome



| Updated: 2023-08-16
Risk High
Patch available YES
Number of vulnerabilities 27
CVE-ID CVE-2022-0109
CVE-2022-0120
CVE-2022-0118
CVE-2022-0116
CVE-2022-0115
CVE-2022-0114
CVE-2022-0113
CVE-2022-0112
CVE-2022-0111
CVE-2022-0110
CVE-2022-0108
CVE-2022-0096
CVE-2022-0107
CVE-2022-0106
CVE-2022-0105
CVE-2022-0104
CVE-2022-0103
CVE-2022-0102
CVE-2022-0101
CVE-2022-0100
CVE-2022-0099
CVE-2022-0098
CVE-2022-0097
CVE-2022-0117
CVE-2022-0337
CVE-2022-4925
CVE-2022-4924
CWE-ID CWE-358
CWE-908
CWE-125
CWE-451
CWE-416
CWE-122
CWE-843
CWE-264
CWE-20
Exploitation vector Network
Public exploit Public exploit code for vulnerability #25 is available.
Vulnerable software
Google Chrome
Client/Desktop applications / Web browsers

Vendor Google

Security Bulletin

This security bulletin contains information about 27 vulnerabilities.

Updated: 23.03.2022

Added vulnerability #25.

1) Improperly implemented security check for standard

EUVDB-ID: #VU59208

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0109

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Autofill in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 96.0.4664.110

CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1261689
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0109


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improperly implemented security check for standard

EUVDB-ID: #VU59217

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0120

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Passwords in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 96.0.4664.110

CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1262953
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0120


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improperly implemented security check for standard

EUVDB-ID: #VU59216

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0118

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in WebShare in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 96.0.4664.110

CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1238631
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0118


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Improperly implemented security check for standard

EUVDB-ID: #VU59215

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0116

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Compositing in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 96.0.4664.110

CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1272250
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0116


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Use of uninitialized resource

EUVDB-ID: #VU59214

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0115

CWE-ID: CWE-908 - Use of Uninitialized Resource

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to usage of uninitialized resources in File API in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage, trigger uninitialized usage of resources and bypass implemented security mechanisms.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 96.0.4664.110

CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1268903
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0115


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Out-of-bounds read

EUVDB-ID: #VU59213

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0114

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to crash the browser.

The vulnerability exists due to a boundary condition within the Web Serial component in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger an out-of-bounds read error and crash the browser.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 96.0.4664.110

CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1267627
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0114


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Improperly implemented security check for standard

EUVDB-ID: #VU59212

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0113

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Blink in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 96.0.4664.110

CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1039885
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0113


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Spoofing attack

EUVDB-ID: #VU59211

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0112

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input in Browser UI in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and spoof web page content.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 96.0.4664.110

CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1255713
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0112


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Improperly implemented security check for standard

EUVDB-ID: #VU59210

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0111

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Navigation in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 96.0.4664.110

CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1241188
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0111


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Spoofing attack

EUVDB-ID: #VU59209

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0110

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input in Autofill in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and spoof web page content.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 96.0.4664.110

CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1237310
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0110


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Improperly implemented security check for standard

EUVDB-ID: #VU59207

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0108

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Navigation in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 96.0.4664.110

CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1248444
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0108


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Use-after-free

EUVDB-ID: #VU59195

Risk: High

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0096

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Storage component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 96.0.4664.110

CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1275020
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0096


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Use-after-free

EUVDB-ID: #VU59206

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0107

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within File Manager API in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 96.0.4664.110

CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1248438
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0107


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Use-after-free

EUVDB-ID: #VU59205

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0106

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Autofill component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 96.0.4664.110

CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1278960
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0106


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Use-after-free

EUVDB-ID: #VU59204

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0105

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the PDF component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 96.0.4664.110

CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1274376
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0105


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Heap-based buffer overflow

EUVDB-ID: #VU59203

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0104

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in ANGLE. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 96.0.4664.110

CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1273661
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0104


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Use-after-free

EUVDB-ID: #VU59202

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0103

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the SwiftShader component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 96.0.4664.110

CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1272266
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0103


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Type Confusion

EUVDB-ID: #VU59201

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0102

CWE-ID: CWE-843 - Type confusion

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error within the V8 component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 96.0.4664.110

CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1260129
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0102


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Heap-based buffer overflow

EUVDB-ID: #VU59200

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0101

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in Bookmarks. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 96.0.4664.110

CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1249426
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0101


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Heap-based buffer overflow

EUVDB-ID: #VU59199

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0100

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in Media streams API. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 96.0.4664.110

CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1238209
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0100


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Use-after-free

EUVDB-ID: #VU59198

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0099

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Sign-in component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 96.0.4664.110

CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1245629
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0099


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Use-after-free

EUVDB-ID: #VU59197

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0098

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Screen Capture component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 96.0.4664.110

CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1273609
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0098


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Improperly implemented security check for standard

EUVDB-ID: #VU59196

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0097

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to incorrect implementation in DevTools in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 96.0.4664.110

CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1117173
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0097


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU59218

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-0117

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due incorrect implementation of policy restrictions in Service Workers. A remote attacker can trick the victim to open a specially crafted web page and bypass implemented security restrictions.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 96.0.4664.110

CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1115847
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0117


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU61580

Risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2022-0337

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to inappropriate implementation in File System API in Google Chrome. A remote attacker can extract sensitive information stored in system environment variables.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 96.0.4664.110

CPE2.3 External links

http://github.com/Puliczek/CVE-2022-0337-PoC-Google-Chrome-Microsoft-Edge-Opera
http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

26) Input validation error

EUVDB-ID: #VU79595

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-4925

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to crash the browser.

The vulnerability exists due to a improper input validation in QUIC in Google Chrome. A remote attacker can trick the victim to perform certain actions in browser and crash it.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Google Chrome: before 97.0.4692.71

CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1238309


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Use-after-free

EUVDB-ID: #VU79594

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-4924

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the WebRTC component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 97.0.4692.71.

Vulnerable software versions

Google Chrome: before 97.0.4692.71

CPE2.3 External links

http://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html
http://crbug.com/1272967


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###