Google fixes a Chrome zero-day flaw actively exploited in attacks

Pierluigi Paganini February 15, 2022

Google fixed a high-severity zero-day flaw actively exploited with the release of Chrome emergency update for Windows, Mac, and Linux.

Google fixed a high-severity zero-day flaw, tracked as CVE-2022-0609, actively exploited with the release of Chrome emergency update for Windows, Mac, and Linux. This is the first Chome zero-day fixed this year by Google.

The zero-day is a use after free issue that resides in Animation, the bug was reported by Adam Weidemann and Clément Lecigne of Google’s Threat Analysis Group.

“Use after free in Animation. Reported by Adam Weidemann and Clément Lecigne of Google’s Threat Analysis Group on 2022-02-10 [$TBD][1285449]” reads the security advisory published by Google. “Google is aware of reports that an exploit for CVE-2022-0609 exists in the wild.”

The emergency patches will be rolled out in the next weeks. Users could update their browser manually by visiting the entry Chrome menu > Help > About Google Chrome.

Google did not disclose technical details for the CVE-2022-0609 to avoid massive exploitation of the bug. The IT giant also avoided disclosing info regarding the attack in the wild exploiting the flaw.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google added.

Below is the list of the other flaws addressed by Google with the latest release of its browser:

  • [$15000][1290008] High CVE-2022-0603: Use after free in File Manager. Reported by Chaoyuan Peng (@ret2happy) on 2022-01-22
  • [$7000][1273397] High CVE-2022-0604: Heap buffer overflow in Tab Groups. Reported by Krace on 2021-11-24
  • [$7000][1286940] High CVE-2022-0605: Use after free in Webstore API. Reported by Thomas Orlita  on 2022-01-13
  • [$7000][1288020] High CVE-2022-0606: Use after free in ANGLE. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-01-17
  • [$TBD][1250655] High CVE-2022-0607: Use after free in GPU. Reported by 0x74960 on 2021-09-17
  • [$NA][1270333] High CVE-2022-0608: Integer overflow in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2021-11-16
  • [$NA][1296150] High CVE-2022-0609: Use after free in Animation. Reported by Adam Weidemann and Clément Lecigne of Google’s Threat Analysis Group on 2022-02-10
  • [$TBD][1285449] Medium CVE-2022-0610: Inappropriate implementation in Gamepad API. Reported by Anonymous on 2022-01-08

Users are recommended to install Google Chrome update as soon as possible.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Google)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment