Recently, Google introduced a new numbered release of the Chrome browser 107. It fixed 14 vulnerabilities. Three days later, Google releases an emergency patch for a new exploitable 0-day vulnerability in the browser.
The vulnerability has been identified as CVE-2022-3723 and exploits a 0-day type confusion vulnerability in the Chromium V8 JavaScript engine. This gap was found on October 25 by researchers from Avast, and Google managed to declare that it was aware of its exploitation. However, the company will disclose the technical details of CVE-2022-3723 after updating the browser for most users.
This is the third vulnerability in Chrome related to JavaScript Chrome V. Prior to this, CVE-2022-1364 and CVE-2022-1096 were fixed. Both were related to type confusion in the Chrome V8 JavaScript engine.
In total, 7 0-day vulnerabilities in the browser from Google have been fixed this year. The other four were:
- CVE-2022-3075 – Incorrect data validation in Mojo IPC library.
- CVE-2022-2856 – Insufficient input validation in Intents.
- CVE-2022-2294 related to a heap overflow in the Web Real-Time Communications component;
- CVE-2022-0609 introducing a post-release vulnerability in animation.
Google disclosed the technical details of the attacks and did not attribute them to any of the hacker groups.
