Connect with us

Hi, what are you looking for?



Chrome 102 Update Patches High-Severity Vulnerabilities

Google this week announced the release of a Chrome browser update that resolves seven vulnerabilities, including four issues reported by external researchers.

Google this week announced the release of a Chrome browser update that resolves seven vulnerabilities, including four issues reported by external researchers.

Tracked as CVE-2022-2007, the first of these bugs is described as a use-after-free in WebGPU. The security hole was reported by David Manouchehri, who received a $10,000 bug bounty reward for his finding.

Use-after-free issues are triggered when a program doesn’t clear the pointer after freeing memory allocation, and can be exploited for arbitrary code execution, denial of service, or data corruption, potentially leading to system compromise, if combined with other vulnerabilities. In the case of Chrome, they often lead to a sandbox escape.

Another use-after-free vulnerability addressed with this Chrome update is CVE-2022-2011, a flaw identified in ANGLE, Chrome’s graphics engine abstraction layer. The bug was reported by SeongHwan Park.

The latest Chrome update also resolves CVE-2022-2008, an out-of-bounds memory access in WebGL, which was reported by VinCSS Cybersecurity researcher Tran Van Khang.

Google says it has yet to determine the bug bounty amounts to be paid for these two vulnerabilities.

The fourth externally reported vulnerability addressed with this browser update is CVE-2022-2010, an out-of-bounds read in compositing, which was reported by Mark Brand of Google Project Zero. As per Google’s policies, the researcher won’t be awarded a bug bounty.

Advertisement. Scroll to continue reading.

The latest Chrome iteration is now rolling out to Windows, Mac, and Linux users as version 102.0.5005.115.

Google made no mention of any of these vulnerabilities being exploited in the wild, but users are advised to update their browsers as soon as possible.

Three Chrome vulnerabilities are known to have been exploited in attacks so far this year.

Related: Chrome 102 Patches 32 Vulnerabilities

Related: Chrome 101 Update Patches High-Severity Vulnerabilities

Related: Chrome 101 Patches 30 Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.