A Chrome 99 update released by Google on Tuesday patches a critical vulnerability discovered by one of the company’s own researchers.
The critical flaw, tracked as CVE-2022-0971, has been described as a use-after-free issue affecting the Blink Layout component. Sergei Glazunov of Google Project Zero has been credited for reporting the flaw.
Google doesn’t often assign a “critical severity” rating to Chrome vulnerabilities. In fact, over the past year, only four other Chrome updates fixed a critical issue. Two of the four critical vulnerabilities were discovered by Glazunov, who has also identified a high-severity bug that was patched this week.
The latest Chrome update includes 11 security fixes, including eight with a “high severity” rating. These flaws, which can typically allow a sandbox escape or remote code execution, are mostly use-after-free issues.
Google has paid out nearly $40,000 to the external researchers who reported the vulnerabilities patched with this Chrome update, but some rewards have yet to be determined.
The internet giant said recently that it paid out nearly $9 million in bug bounties last year, including roughly $3.1 million for Chrome vulnerabilities.
There has been a surge in Chrome vulnerabilities exploited in the wild, with 14 zero-days exploited in 2021, far more than any other popular web browser.
Google last week attempted to explain this trend, naming several factors that have apparently contributed. The list includes more transparency regarding active exploitation, increased complexity of the browser, the need to chain multiple flaws for a useful exploit, and attackers increasingly targeting the browser itself following the death of Flash, their former favorite target.
Related: Google Discovers Attack Exploiting Chrome Zero-Day Vulnerability
Related: Chrome 95 Update Patches Exploited Zero-Days, Flaws Disclosed at Tianfu Cup
Related: Google Paid Out Over $100,000 for Vulnerabilities Patched by Chrome 99

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
