Security Experts:

Google Patches Critical Vulnerability With Chrome 99 Update

A Chrome 99 update released by Google on Tuesday patches a critical vulnerability discovered by one of the company’s own researchers.

The critical flaw, tracked as CVE-2022-0971, has been described as a use-after-free issue affecting the Blink Layout component. Sergei Glazunov of Google Project Zero has been credited for reporting the flaw.

Google doesn’t often assign a “critical severity” rating to Chrome vulnerabilities. In fact, over the past year, only four other Chrome updates fixed a critical issue. Two of the four critical vulnerabilities were discovered by Glazunov, who has also identified a high-severity bug that was patched this week.

The latest Chrome update includes 11 security fixes, including eight with a “high severity” rating. These flaws, which can typically allow a sandbox escape or remote code execution, are mostly use-after-free issues.

Google has paid out nearly $40,000 to the external researchers who reported the vulnerabilities patched with this Chrome update, but some rewards have yet to be determined.

The internet giant said recently that it paid out nearly $9 million in bug bounties last year, including roughly $3.1 million for Chrome vulnerabilities.

There has been a surge in Chrome vulnerabilities exploited in the wild, with 14 zero-days exploited in 2021, far more than any other popular web browser.

Google last week attempted to explain this trend, naming several factors that have apparently contributed. The list includes more transparency regarding active exploitation, increased complexity of the browser, the need to chain multiple flaws for a useful exploit, and attackers increasingly targeting the browser itself following the death of Flash, their former favorite target.

Related: Google Discovers Attack Exploiting Chrome Zero-Day Vulnerability

Related: Chrome 95 Update Patches Exploited Zero-Days, Flaws Disclosed at Tianfu Cup

Related: Google Paid Out Over $100,000 for Vulnerabilities Patched by Chrome 99

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.