Debian update for chromium



Published: 2022-01-25
Risk High
Patch available YES
Number of vulnerabilities 22
CVE-ID CVE-2022-0302
CVE-2022-0311
CVE-2022-0310
CVE-2022-0309
CVE-2022-0308
CVE-2022-0307
CVE-2022-0306
CVE-2022-0305
CVE-2022-0304
CVE-2022-0303
CVE-2022-0301
CVE-2022-0289
CVE-2022-0300
CVE-2022-0298
CVE-2022-0297
CVE-2022-0296
CVE-2022-0295
CVE-2022-0294
CVE-2022-0293
CVE-2022-0292
CVE-2022-0291
CVE-2022-0290
CWE-ID CWE-416
CWE-122
CWE-358
CWE-362
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
chromium (Debian package)
Operating systems & Components / Operating system package or component

Vendor Debian

Security Bulletin

This security bulletin contains information about 22 vulnerabilities.

1) Use-after-free

EUVDB-ID: #VU59860

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0302

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Omnibox component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update chromium package to version 97.0.4692.99-1~deb11u2.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 97.0.4692.71-0.1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5054

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Heap-based buffer overflow

EUVDB-ID: #VU59869

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0311

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in Task Manager. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Update chromium package to version 97.0.4692.99-1~deb11u2.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 97.0.4692.71-0.1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5054

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Heap-based buffer overflow

EUVDB-ID: #VU59868

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0310

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in Task Manager. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Update chromium package to version 97.0.4692.99-1~deb11u2.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 97.0.4692.71-0.1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5054

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Improperly implemented security check for standard

EUVDB-ID: #VU59867

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0309

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Autofill in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update chromium package to version 97.0.4692.99-1~deb11u2.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 97.0.4692.71-0.1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5054

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Use-after-free

EUVDB-ID: #VU59866

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0308

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Data Transfer in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update chromium package to version 97.0.4692.99-1~deb11u2.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 97.0.4692.71-0.1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5054

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

6) Use-after-free

EUVDB-ID: #VU59865

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0307

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Optimization Guide in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update chromium package to version 97.0.4692.99-1~deb11u2.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 97.0.4692.71-0.1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5054

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

7) Heap-based buffer overflow

EUVDB-ID: #VU59864

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0306

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in PDFium. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Update chromium package to version 97.0.4692.99-1~deb11u2.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 97.0.4692.71-0.1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5054

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

8) Improperly implemented security check for standard

EUVDB-ID: #VU59863

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0305

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to incorrect implementation in Service Worker API in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.

Mitigation

Update chromium package to version 97.0.4692.99-1~deb11u2.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 97.0.4692.71-0.1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5054

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

9) Use-after-free

EUVDB-ID: #VU59862

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0304

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Bookmarks component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update chromium package to version 97.0.4692.99-1~deb11u2.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 97.0.4692.71-0.1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5054

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

10) Race condition

EUVDB-ID: #VU59861

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0303

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a race condition in GPU Watchdog in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage and execute arbitrary code on the target system.

Mitigation

Update chromium package to version 97.0.4692.99-1~deb11u2.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 97.0.4692.71-0.1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5054

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

11) Heap-based buffer overflow

EUVDB-ID: #VU59859

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0301

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in DevTools. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Update chromium package to version 97.0.4692.99-1~deb11u2.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 97.0.4692.71-0.1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5054

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

12) Use-after-free

EUVDB-ID: #VU59848

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0289

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Safe browsing component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update chromium package to version 97.0.4692.99-1~deb11u2.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 97.0.4692.71-0.1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5054

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

13) Use-after-free

EUVDB-ID: #VU59858

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0300

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Text Input Method Editor component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update chromium package to version 97.0.4692.99-1~deb11u2.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 97.0.4692.71-0.1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5054

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

14) Use-after-free

EUVDB-ID: #VU59857

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0298

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Scheduling component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update chromium package to version 97.0.4692.99-1~deb11u2.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 97.0.4692.71-0.1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5054

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

15) Use-after-free

EUVDB-ID: #VU59856

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0297

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Vulkan component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update chromium package to version 97.0.4692.99-1~deb11u2.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 97.0.4692.71-0.1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5054

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

16) Use-after-free

EUVDB-ID: #VU59855

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0296

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Printing component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update chromium package to version 97.0.4692.99-1~deb11u2.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 97.0.4692.71-0.1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5054

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

17) Use-after-free

EUVDB-ID: #VU59854

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0295

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Omnibox component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update chromium package to version 97.0.4692.99-1~deb11u2.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 97.0.4692.71-0.1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5054

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

18) Improperly implemented security check for standard

EUVDB-ID: #VU59853

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0294

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to incorrect implementation in Push messaging in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.

Mitigation

Update chromium package to version 97.0.4692.99-1~deb11u2.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 97.0.4692.71-0.1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5054

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

19) Use-after-free

EUVDB-ID: #VU59852

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0293

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Web packaging component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update chromium package to version 97.0.4692.99-1~deb11u2.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 97.0.4692.71-0.1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5054

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

20) Improperly implemented security check for standard

EUVDB-ID: #VU59851

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0292

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to incorrect implementation in Fenced Frames in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.

Mitigation

Update chromium package to version 97.0.4692.99-1~deb11u2.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 97.0.4692.71-0.1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5054

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

21) Improperly implemented security check for standard

EUVDB-ID: #VU59850

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-0291

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to incorrect implementation in Storage in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.

Mitigation

Update chromium package to version 97.0.4692.99-1~deb11u2.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 97.0.4692.71-0.1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5054

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

22) Use-after-free

EUVDB-ID: #VU59849

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-0290

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Site isolation component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update chromium package to version 97.0.4692.99-1~deb11u2.

Vulnerable software versions

chromium (Debian package): 76.0.3809.100-1~deb10u1 - 97.0.4692.71-0.1~deb11u1


CPE2.3 External links

http://www.debian.org/security/2022/dsa-5054

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###