A Chrome 99 update released by Google on Tuesday patches a critical vulnerability discovered by one of the company’s own researchers.
The critical flaw, tracked as CVE-2022-0971, has been described as a use-after-free issue affecting the Blink Layout component. Sergei Glazunov of Google Project Zero has been credited for reporting the flaw.
Google doesn’t often assign a “critical severity” rating to Chrome vulnerabilities. In fact, over the past year, only four other Chrome updates fixed a critical issue. Two of the four critical vulnerabilities were discovered by Glazunov, who has also identified a high-severity bug that was patched this week.
The latest Chrome update includes 11 security fixes, including eight with a “high severity” rating. These flaws, which can typically allow a sandbox escape or remote code execution, are mostly use-after-free issues.
Google has paid out nearly $40,000 to the external researchers who reported the vulnerabilities patched with this Chrome update, but some rewards have yet to be determined.
The internet giant said recently that it paid out nearly $9 million in bug bounties last year, including roughly $3.1 million for Chrome vulnerabilities.
There has been a surge in Chrome vulnerabilities exploited in the wild, with 14 zero-days exploited in 2021, far more than any other popular web browser.
Google last week attempted to explain this trend, naming several factors that have apparently contributed. The list includes more transparency regarding active exploitation, increased complexity of the browser, the need to chain multiple flaws for a useful exploit, and attackers increasingly targeting the browser itself following the death of Flash, their former favorite target.
Related: Google Discovers Attack Exploiting Chrome Zero-Day Vulnerability
Related: Chrome 95 Update Patches Exploited Zero-Days, Flaws Disclosed at Tianfu Cup
Related: Google Paid Out Over $100,000 for Vulnerabilities Patched by Chrome 99

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
- New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
- Rheinmetall Says Military Business Not Impacted by Ransomware Attack
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
