Google Chrome Zero-Day Found Exploited in the Wild

The high-severity security vulnerability (CVE-2022-2856) is due to improper user-input validation.

Dark Reading Staff, Dark Reading

August 17, 2022

1 Min Read
Google Chrome icon on computer desktop
Source: ImageBROKER via Alamy Stock Photo

A zero-day security vulnerability in Google's Chrome browser is being actively exploited in the wild.

The Internet behemoth released 11 security patches for Chrome this week, which are now being pushed out in stages to those with automatic updates enabled for Windows, Mac, and Linux; however, everyone can manually update now.

The zero-day (CVE-2022-2856) is rated as high severity and involves “insufficient validation of untrusted input in Intents,” according to Google's advisory.

Intents, where the bug resides, are used by Chrome to process user input; if the browser doesn't validate this input properly, an attacker is able to specially craft an input (say, a post in the comments section of a website) that's not expected by the application.

"This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution," according to MITRE.

Other details of the bug are scant — Google usually restricts details until a quorum of users have applied the updates.

Still, “Google is aware that an exploit for CVE-2022-2856 exists in the wild,” reads the alert, so users should patch now.

This is the fifth actively exploited zero-day vulnerability disclosed in Chrome in 2022. The previous four were: CVE-2022-0609 (February), CVE-2022-1096 (March), CVE-2022-1364 (April), and CVE-2022-2294 (July).

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights