Multiple vulnerabilities in Google Chrome
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 11 |
| CVE-ID | CVE-2022-1305 CVE-2022-1306 CVE-2022-1307 CVE-2022-1308 CVE-2022-1309 CVE-2022-1310 CVE-2022-1311 CVE-2022-1312 CVE-2022-1313 CVE-2022-1314 CVE-2022-2399 |
| CWE-ID | CWE-416 CWE-358 CWE-264 CWE-843 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Google Chrome Client/Desktop applications / Web browsers |
| Vendor |
Security Bulletin
This security bulletin contains information about 11 vulnerabilities.
1) Use-after-free
EUVDB-ID: #VU62061
Risk: High
CVSSv3.1:
CVE-ID: CVE-2022-1305
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the storage component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 100.0.4896.88.
Vulnerable software versionsGoogle Chrome: 70.0.3538.67 - 100.0.4896.75
Fixed software versionsCPE2.3 External links
http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_11.html
http://crbug.com/1285234
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1305
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
2) Improperly implemented security check for standard
EUVDB-ID: #VU62062
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2022-1306
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to incorrect implementation in compositing in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.
MitigationUpdate to version 100.0.4896.88.
Vulnerable software versionsGoogle Chrome: 70.0.3538.67 - 100.0.4896.75
Fixed software versionsCPE2.3 External links
http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_11.html
http://crbug.com/1299287
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1306
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
3) Improperly implemented security check for standard
EUVDB-ID: #VU62063
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2022-1307
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to incorrect implementation in full screen in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.
MitigationUpdate to version 100.0.4896.88.
Vulnerable software versionsGoogle Chrome: 70.0.3538.67 - 100.0.4896.75
Fixed software versionsCPE2.3 External links
http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_11.html
http://crbug.com/1301873
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1307
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
4) Use-after-free
EUVDB-ID: #VU62064
Risk: High
CVSSv3.1:
CVE-ID: CVE-2022-1308
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the BFCache component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 100.0.4896.88.
Vulnerable software versionsGoogle Chrome: 70.0.3538.67 - 100.0.4896.75
Fixed software versionsCPE2.3 External links
http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_11.html
http://crbug.com/1283050
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1308
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
5) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU62065
Risk: High
CVSSv3.1:
CVE-ID: CVE-2022-1309
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient policy enforcement in developer tools in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and compromise the affected system.
MitigationUpdate to version 100.0.4896.88.
Vulnerable software versionsGoogle Chrome: 70.0.3538.67 - 100.0.4896.75
Fixed software versionsCPE2.3 External links
http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_11.html
http://crbug.com/1106456
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1309
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
6) Use-after-free
EUVDB-ID: #VU62066
Risk: High
CVSSv3.1:
CVE-ID: CVE-2022-1310
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the regular expressions component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 100.0.4896.88.
Vulnerable software versionsGoogle Chrome: 70.0.3538.67 - 100.0.4896.75
Fixed software versionsCPE2.3 External links
http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_11.html
http://crbug.com/1307610
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1310
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
7) Use-after-free
EUVDB-ID: #VU62067
Risk: High
CVSSv3.1:
CVE-ID: CVE-2022-1311
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the Chrome OS shell component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 100.0.4896.88.
Vulnerable software versionsGoogle Chrome: 70.0.3538.67 - 100.0.4896.75
Fixed software versionsCPE2.3 External links
http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_11.html
http://crbug.com/1310717
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
8) Use-after-free
EUVDB-ID: #VU62068
Risk: High
CVSSv3.1:
CVE-ID: CVE-2022-1312
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the storage component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 100.0.4896.88.
Vulnerable software versionsGoogle Chrome: 70.0.3538.67 - 100.0.4896.75
Fixed software versionsCPE2.3 External links
http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_11.html
http://crbug.com/1311701
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1312
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
9) Use-after-free
EUVDB-ID: #VU62069
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2022-1313
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within tab groups in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.
MitigationUpdate to version 100.0.4896.88.
Vulnerable software versionsGoogle Chrome: 70.0.3538.67 - 100.0.4896.75
Fixed software versionsCPE2.3 External links
http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_11.html
http://crbug.com/1270539
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1313
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
10) Type Confusion
EUVDB-ID: #VU62070
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2022-1314
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a type confusion error within the V8 component in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a type confusion error and gain access to sensitive information.
MitigationUpdate to version 100.0.4896.88.
Vulnerable software versionsGoogle Chrome: 70.0.3538.67 - 100.0.4896.75
Fixed software versionsCPE2.3 External links
http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_11.html
http://crbug.com/1304658
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-1314
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
11) Use-after-free
EUVDB-ID: #VU79618
Risk: High
CVSSv3.1:
CVE-ID: CVE-2022-2399
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the WebGPU component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate to version 100.0.4896.88.
Vulnerable software versionsGoogle Chrome: before 100.0.4896.88
Fixed software versionsCPE2.3 External links
http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_11.html
http://crbug.com/1313172
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
