Google patches new 0-day vulnerability in Chrome

Frank Zieman

Google fixes a 0-day vulnerability in its browser with Chrome 104.0.5112.101/102 for Windows (104.0.5112.101 for macOS and Linux). In the Chrome Release Blog, Srinivas Sista lists ten of the 11 fixed vulnerabilities that were discovered by external researchers and reported to Google.

Google classifies one of the (CVE-2022-2852) as critical. It is a use-after-free vulnerability in

FedCM

(Federated Credential Management API: Password Management). Google identifies another six vulnerabilities as high risk, including four use-after-free vulnerabilities in various browser components.

The 0-day vulnerability CVE-2022-2856 is also considered high risk. The error is insufficient validation of entered data in the component

intentions

, an interface to web apps. The vulnerability was discovered by researchers from Google’s TAG (Threat Analysis Group) in mid-July. Google did not provide details about the observed attacks.

▶The latest security updates

So far, Google has awarded the outside researchers $29,000 in awards. As always, Google has not published details of internally found security gaps. As a rule, Chrome updates itself automatically when a new version is available. With

“Help » About Google Chrome”

you can trigger the update check manually.

Other Chromium-based browsers

The manufacturers of other Chromium-based browsers are now being asked to follow suit with appropriate updates. Microsoft Edge 104.0.1293.54, Brave 1.42.95 and Vivaldi 5.4.2753.33 are based on Chromium version 104.0.5112.81/83, which was previously considered secure. Opera 89.0.4447.91 still has Chromium 103 under the hood. Opera 90 based on Chromium 104 is still in beta.

Chrome 104.0.5112.99 for iOS is also already released. Google will release Chrome 105 on August 30th.

Chromium-based browsers at a glance: