Multiple vulnerabilities in Google Chrome



Published: 2022-08-17 | Updated: 2022-08-20
Risk Critical
Patch available YES
Number of vulnerabilities 10
CVE-ID CVE-2022-2852
CVE-2022-2854
CVE-2022-2855
CVE-2022-2857
CVE-2022-2858
CVE-2022-2853
CVE-2022-2856
CVE-2022-2859
CVE-2022-2860
CVE-2022-2861
CWE-ID CWE-416
CWE-122
CWE-20
CWE-264
CWE-358
Exploitation vector Network
Public exploit Vulnerability #7 is being exploited in the wild.
Vulnerable software
Subscribe
Google Chrome
Client/Desktop applications / Web browsers

Vendor Google

Security Bulletin

This security bulletin contains information about 10 vulnerabilities.

1) Use-after-free

EUVDB-ID: #VU66559

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-2852

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the FedCM component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 104.0.5112.101.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 104.0.5112.81


CPE2.3 External links

http://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html
http://crbug.com/1349322
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2852

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

2) Use-after-free

EUVDB-ID: #VU66560

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-2854

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the SwiftShader component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 104.0.5112.101.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 104.0.5112.81


CPE2.3 External links

http://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html
http://crbug.com/1337538
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2854

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

3) Use-after-free

EUVDB-ID: #VU66561

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-2855

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the ANGLE component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 104.0.5112.101.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 104.0.5112.81


CPE2.3 External links

http://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html
http://crbug.com/1345042
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2855

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

4) Use-after-free

EUVDB-ID: #VU66562

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-2857

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Blink component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 104.0.5112.101.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 104.0.5112.81


CPE2.3 External links

http://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html
http://crbug.com/1338135
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2857

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

5) Use-after-free

EUVDB-ID: #VU66563

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-2858

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the Sign-In Flow component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update to version 104.0.5112.101.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 104.0.5112.81


CPE2.3 External links

http://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html
http://crbug.com/1341918
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2858

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

6) Heap-based buffer overflow

EUVDB-ID: #VU66564

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-2853

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted HTML content in Downloads. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Update to version 104.0.5112.101.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 104.0.5112.81


CPE2.3 External links

http://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html
http://crbug.com/1350097
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2853

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

7) Input validation error

EUVDB-ID: #VU66565

Risk: Critical

CVSSv3.1:

CVE-ID: CVE-2022-2856

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in Intents component in Google Chrome. A remote attacker can trick the victim to open a specially crafted web page and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note, the vulnerability is being actively exploited in the wild.

Mitigation

Update to version 104.0.5112.101.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 104.0.5112.81


CPE2.3 External links

http://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html
http://crbug.com/1345630

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

8) Use-after-free

EUVDB-ID: #VU66566

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-2859

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Chrome OS Shell in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

Mitigation

Update to version 104.0.5112.101.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 104.0.5112.81


CPE2.3 External links

http://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html
http://crbug.com/1338412

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

9) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU66567

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-2860

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in Cookies in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

Mitigation

Update to version 104.0.5112.101.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 104.0.5112.81


CPE2.3 External links

http://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html
http://crbug.com/1345193
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2860

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

10) Improperly implemented security check for standard

EUVDB-ID: #VU66568

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-2861

CWE-ID: CWE-358 - Improperly Implemented Security Check for Standard

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation in Extensions API in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

Mitigation

Update to version 104.0.5112.101.

Vulnerable software versions

Google Chrome: 70.0.3538.67 - 104.0.5112.81


CPE2.3 External links

http://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html
http://crbug.com/1346236
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-2861

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###