Google rolls out patch for high-severity Chrome browser zero day

Google Chrome logo on a Chromebook
(Image credit: Getty Images)

Google has patched a zero-day vulnerability in its Chrome browser, the eighth of its kind this year.

The vulnerability was caused by a “heap buffer overflow in GPU”, Google said. Such vulnerabilities can allow attackers to modify the data stored in the application’s heap, potentially altering what data the Chrome Browser outputs.


Solve cyber resilience challenges with storage solutions

Fundamental capabilities of cyber-resilient IT infrastructure


The exploitation of buffer overflow flaws could also lead to general data corruption within the application, or the manipulation of the Chrome browser’s internal structures.

It has been assigned a severity rating of ‘high’ although a specific CVSSv3 score has not yet been released.

‘High’ severity ratings typically indicate a score in the range of 7.0-8.9 - the second-highest severity classification on the widely used metric.

Google assigned the vulnerability with a CVE for vulnerability tracking and management (CVE-2022-4135) and released the new stable channel version of Google Chrome on Thursday across Windows, macOS, and Linux.

Google said it will be keeping more detailed information on the vulnerability under wraps until more users have had time to install the update.

It will also refrain from releasing further details if the Google Chrome team find the issue to be present in a third-party library on which other applications depend, for example, at least until that library also releases a fix.

The vulnerability was discovered by Clement Lecigne, security engineer at Google’s Threat Analysis Group - its security team primarily devoted to countering government-backed hacking efforts - and Google made no indication that the vulnerability has been actively exploited in the wild.

CVE-2022-4135 marks the eighth zero-day vulnerability found in Google Chrome since the start of 2022 and the second zero-day caused by a heap buffer overflow.

Three of the eight zero-days affecting the world’s most popular browser have been caused by errors in Google’s proprietary and open-sourced JavaScript V8 engine.

Since other major browsers also run on Chromium, such as Microsoft Edge, Opera, Vivaldi, and others, these were also vulnerable because they too relied on Google’s V8 engine.

The full list of Google Chrome zero-day vulnerabilities found in 2022 can be found below:

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.