Google has released Chrome 104.0.5112.101 (Mac/Linux) and 104.0.5112.102/101 (Windows), with fixes for 11 vulnerabilities (one rated Critical and seven rated High severity). Additionally, one of the patches fixed a zero-day flaw CVE-2022-2856.
An attacker could exploit these vulnerabilities to take control of impacted systems.
The latest Chrome 104 security update patched 11 vulnerabilities, to include the following Critical (1) and High (6) severity vulnerabilities contributed by external researchers (zero-day CVE highlighted in bold):
- Critical CVE-2022-2852: Use after free in FedCM.
- High CVE-2022-2854: Use after free in SwiftShader.
- High CVE-2022-2855: Use after free in ANGLE.
- High CVE-2022-2857: Use after free in Blink.
- High CVE-2022-2858: Use after free in Sign-In Flow.
- High CVE-2022-2853: Heap buffer overflow in Downloads.
- High CVE-2022-2856: Insufficient validation of untrusted input in Intents.
Google is also aware that “an exploit for CVE-2022-2856 exists in the wild.”
This latest Chrome zero-day flaw comes after another patched High severity zero-day (CVE-2022-2294) was found being exploited in the wild back in July.
- Google releases Chrome 104 security update with fixes for 27 vulnerabilities (7 High severity)
- Google releases Chrome 103 security update with fix for zero-day vulnerability (CVE-2022-2294) exploited in the wild
- CISA adds 9 vulnerabilities to Known Exploited Vulnerabilities Catalog (to include new Chrome zero-day)