Google released new software patches on Thursday to address a new zero-day vulnerability in its Chrome web browser.
Writing in a security bulletin, the tech giant described the high-severity vulnerability (tracked CVE-2022-4135) as a heap buffer overflow in the graphics processing unit (GPU) component.
Google attributed the discovery of the vulnerability to Clement Lecigne from its Threat Analysis Group (TAG), saying the researcher made the discovery on November 24.
The new vulnerability marks the eighth zero-day fixed by Google for the desktop version of the Chrome web browser.
The company is recommending users upgrade to version 107.0.5304.121/.122 for Windows and 107.0.5304.121 for Mac and Linux. Chromium-based browsers like Microsoft Edge, Brave, Opera and Vivaldi should also be updated to apply the fixes as and when they become available.
Google is also currently withholding details about the vulnerability to prevent expanding its malicious exploitation.
While the full scope of the exploit is currently unknown, this type of vulnerability can typically enable threat actors to corrupt data and remotely execute code on a victim’s machine.
In fact, according to the US government’s National Institute of Standards and Technology (NIST) agency, CVE-2022-4135 allows a “remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.”
Patches for the vulnerability should be applied automatically. If that’s not the case because of system settings, users can upgrade their Chrome browser by clicking on the three vertical dots in the upper-right corner and navigating to ‘Help’ and then ‘About Google Chrome.’
The browser will then automatically check for and download the latest build (107.0.5304.121) and prompt users to restart their browser.
Some of the other zero-day Chrome vulnerabilities discovered by Google this year include the CVE-2022-2294, which the company patched in July.