Last Updated on 27/03/2022 by Nidhi Khandelwal
Google released an out-of-band security update on Friday to fix a high-severity vulnerability in its Chrome browser that is being actively exploited in the wild, according to the company.
The zero-day weakness, identified as CVE-2022-1096, is a type misunderstanding vulnerability in the V8 JavaScript engine. On March 23, 2022, an anonymous researcher was credited with disclosing the problem.
In languages that are not memory safe, such as C and C++, type confusion errors, which occur when a resource (e.g., a variable or an object) is accessed using a type that is incompatible with what was originally initialized, could have serious consequences, allowing a malicious actor to perform out-of-bounds memory access.
“If the allocated buffer is smaller than the type that the function is attempting to access, it could read or write memory out of the bounds of the buffer, leading to a crash and possibly code execution,” MITER’s Common Weakness Enumeration (CWE) states.
The company stated that it is “aware that an exploit for CVE-2022-1096 exists in the wild,” but declined to provide any details in order to avoid further exploitation and until the majority of customers have been updated with a remedy.
CVE-2022-1096 is Google’s second zero-day vulnerability in Chrome since the beginning of the year; the first was CVE-2022-0609, a use-after-free flaw in the Animation component that was patched in February.
Google’s Threat Analysis Group (TAG) revealed details of a parallel effort orchestrated by North Korean nation-state organizations to target U.S.-based firms in the news media, IT, cryptocurrency, and finance industries earlier this week.
