Google pulls “Critical” alarm on Chrome CVE-2022-0971

Details are still sketchy on CVE-2022-0971 reported yesterday by the Google Chrome team, while they very clearly gave it a critical rating (topping a list of eight more vulnerabilities ranked as high) .

Critical CVE-2022-0971: Use after free in Blink Layout. Reported by Sergei Glazunov of Google Project Zero on 2022-02-21

A low complexity remotely exploitable bug, it’s coming in with a predicted CVSS base score of 9.8 or 10 out of 10 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The current fixed Chrome version is 99.0.4844.74

Google’s Blink code has generated a lot of bugs over time. Another “use-after-free” in the “layout implementation in Blink” was reported by them almost a decade ago in CVE-2013-6658

Multiple use-after-free vulnerabilities in the layout implementation in Blink, as used in Google Chrome before 33.0.1750.117, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving (1) running JavaScript code during execution of the updateWidgetPositions function or (2) making a call into a plugin during execution of the updateWidgetPositions function.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.