⚡ TL;DR | Go Straight to the Google Chrome Vulnerability Report
Google has released a stable channel update for Google Chrome which fixes 11 vulnerabilities. The most severe of these could allow for arbitrary code execution, in the context of a logged-on user. Depending on that user’s privileges, an attacker could then view, change, or delete sensitive data and files, install programs, or even create new accounts with full user rights, further compromising the network. Because of this, the risks for accounts that operate with administrative user rights are significantly higher than for those that are configured with fewer user rights.
Google has released a stable channel update for Mac and Linux (104.0.5112.101) and for Windows (104.0.5112.102/101) which will roll out over the coming days and weeks. Any older Google chrome versions are at risk of being affected by these vulnerabilities. Users are advised to apply the stable channel update as soon as possible.
CVE-2022-2856
According to Google’s own blog «Google is aware that an exploit for CVE-2022-2856 exists in the wild.» This vulnerability concerns an insufficient validation of untrusted input in Intents. Further bug details are at this moment still kept restricted, but may be released once a majority of users are up-to-date with the fix.
Discover Vulnerable Devices
Based on the information shared by Google, we have created a special Lansweeper report that will provide a list of all Google Chrome installs in your environment that could still be affected by the vulnerabilities mentioned. This way you have an actionable list of installs that still need to be updated.
CVE Code | Description | Severity |
CVE-2022-2852 | Use after free in FedCM | Critical |
CVE-2022-2854 | Use after free in SwiftShader | High |
CVE-2022-2855 | Use after free in ANGLE | High |
CVE-2022-2857 | Use after free in Blink | High |
CVE-2022-2858 | Use after free in Sign-In Flow | High |
CVE-2022-2853 | Heap buffer overflow in Downloads | High |
CVE-2022-2856 | Insufficient validation of untrusted input in Intents | High |
CVE-2022-2859 | Use after free in Chrome OS Shell | Medium |
CVE-2022-2860 | Insufficient policy enforcement | Medium |
CVE-2022-2861 | Inappropriate implementation in Extensions API | Medium |