Multiple vulnerabilities in Google Chrome



Published: 2022-03-29 | Updated: 2022-04-02
Risk High
Patch available YES
Number of vulnerabilities 20
CVE-ID CVE-2022-1137
CVE-2022-1146
CVE-2022-1145
CVE-2022-1144
CVE-2022-1143
CVE-2022-1142
CVE-2022-1141
CVE-2022-1139
CVE-2022-1138
CVE-2022-1136
CVE-2022-1125
CVE-2022-1135
CVE-2022-1134
CVE-2022-1133
CVE-2022-1132
CVE-2022-1131
CVE-2022-1130
CVE-2022-1129
CVE-2022-1128
CVE-2022-1127
CWE-ID CWE-358
CWE-416
CWE-122
CWE-843
CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Google Chrome
Client/Desktop applications / Web browsers

Vendor Google

Security Bulletin

This security bulletin contains information about 20 vulnerabilities.

1) Improperly implemented security check for standard

EUVDB-ID: #VU61710

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-1137

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Extensions in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 100.0.4896.60.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 99.0.4844.84


CPE2.3 External links

http://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html
http://crbug.com/1289846
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1137

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

2) Improperly implemented security check for standard

EUVDB-ID: #VU61718

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-1146

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Resource Timing in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 100.0.4896.60.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 99.0.4844.84


CPE2.3 External links

http://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html
http://crbug.com/1290150
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1146

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

3) Use-after-free

EUVDB-ID: #VU61717

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1145

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Extensions in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update to version 100.0.4896.60.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 99.0.4844.84


CPE2.3 External links

http://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html
http://crbug.com/1304545
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1145

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

4) Use-after-free

EUVDB-ID: #VU61716

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1144

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within WebUI in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update to version 100.0.4896.60.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 99.0.4844.84


CPE2.3 External links

http://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html
http://crbug.com/1304145

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

5) Heap-based buffer overflow

EUVDB-ID: #VU61715

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1143

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in WebUI. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Update to version 100.0.4896.60.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 99.0.4844.84


CPE2.3 External links

http://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html
http://crbug.com/1303615
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1143

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

6) Heap-based buffer overflow

EUVDB-ID: #VU61714

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1142

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in WebUI. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Update to version 100.0.4896.60.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 99.0.4844.84


CPE2.3 External links

http://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html
http://crbug.com/1303613

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

7) Use-after-free

EUVDB-ID: #VU61713

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1141

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within File Manager in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update to version 100.0.4896.60.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 99.0.4844.84


CPE2.3 External links

http://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html
http://crbug.com/1303253

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

8) Improperly implemented security check for standard

EUVDB-ID: #VU61712

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-1139

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Background Fetch API in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 100.0.4896.60.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 99.0.4844.84


CPE2.3 External links

http://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html
http://crbug.com/1268541
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1139

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

9) Improperly implemented security check for standard

EUVDB-ID: #VU61711

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-1138

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Web Cursor in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 100.0.4896.60.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 99.0.4844.84


CPE2.3 External links

http://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html
http://crbug.com/1246188
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1138

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

10) Use-after-free

EUVDB-ID: #VU61709

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1136

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Tab Strip in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update to version 100.0.4896.60.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 99.0.4844.84


CPE2.3 External links

http://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html
http://crbug.com/1280205
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1136

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

11) Use-after-free

EUVDB-ID: #VU61700

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-1125

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Portals component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 100.0.4896.60.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 99.0.4844.84


CPE2.3 External links

http://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html
http://crbug.com/1292261
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1125

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

12) Use-after-free

EUVDB-ID: #VU61708

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1135

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Shopping Cart in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update to version 100.0.4896.60.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 99.0.4844.84


CPE2.3 External links

http://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html
http://crbug.com/1285601
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1135

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

13) Type Confusion

EUVDB-ID: #VU61707

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-1134

CWE-ID: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error within the V8 component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update to version 100.0.4896.60.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 99.0.4844.84


CPE2.3 External links

http://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html
http://crbug.com/1308360
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1134

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

14) Use-after-free

EUVDB-ID: #VU61706

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-1133

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the WebRTC component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 100.0.4896.60.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 99.0.4844.84


CPE2.3 External links

http://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html
http://crbug.com/1305776
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1133

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

15) Improperly implemented security check for standard

EUVDB-ID: #VU61705

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1132

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to incorrect implementation in Virtual Keyboard in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.

Mitigation

Update to version 100.0.4896.60.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 99.0.4844.84


CPE2.3 External links

http://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html
http://crbug.com/1303410

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

16) Use-after-free

EUVDB-ID: #VU61704

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-1131

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Cast UI component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 100.0.4896.60.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 99.0.4844.84


CPE2.3 External links

http://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html
http://crbug.com/1297404
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1131

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

17) Input validation error

EUVDB-ID: #VU61719

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-1130

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in WebOTP component in Google Chrome. A remote attacker can trick the victim to open a specially crafted web page and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update to version 100.0.4896.60.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 99.0.4844.84


CPE2.3 External links

http://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html
http://crbug.com/1142269
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1130

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

18) Improperly implemented security check for standard

EUVDB-ID: #VU61703

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1129

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to incorrect implementation in Full Screen Mode in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.

Mitigation

Update to version 100.0.4896.60.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 99.0.4844.84


CPE2.3 External links

http://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html
http://crbug.com/1300253
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1129

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

19) Improperly implemented security check for standard

EUVDB-ID: #VU61702

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-1128

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to incorrect implementation in Web Share API in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.

Mitigation

Update to version 100.0.4896.60.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 99.0.4844.84


CPE2.3 External links

http://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html
http://crbug.com/1301920
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1128

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

20) Use-after-free

EUVDB-ID: #VU61701

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-1127

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the QR Code Generator component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 100.0.4896.60.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 99.0.4844.84


CPE2.3 External links

http://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html
http://crbug.com/1291891
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1127

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###