Skip to content

Google patches 7 security flaws in Chrome including 4 high-risk ones

  • by
  • 2 min read

Google has updated Chrome to fix seven browser security flaws, four of which are classified as high risk. Full details of how the vulnerabilities can be exploited are yet to be disclosed per Google’s policy of waiting for most users to patch their browsers. 

According to an alert issued by the CISA, attackers can exploit these Chrome vulnerabilities in Windows, Linux or macOS to remotely take over an impacted system. The agency also encouraged users to update to Chrome version 102.0.5005.115.

The major addressing point of the update were the four high-risk vulnerabilities that opened up users to remote takeovers and memory buffer attacks that could let attackers take over the browser or, in some cases, the entire machine remote. The four high-risk vulnerabilities are as follows:

Vulnerability DescriptionDisclosed by
CVE-2022-2007Use-After-Free vulnerability in WebGPU allows an attacker to exploit the incorrect use of dynamic memory during a program’s operations to hack the host program. David Manouchehri
CVE-2022-2008Out-of-bounds memory access vulnerability in WebGL. This flaw will let attackers gain access to sensitive information that should otherwise be secure. khangkito – Tran Van Khang
CVE-2022-2010Out-of-bounds read vulnerability in the Chrome Compositing component.Mark Brand (Google Project Zero)
CVE-2022-2011Use-After-Free vulnerability in ANGLE, an open-source cross-platform graphics engine abstraction layer used in the Chrome backend. SeongHwan Park

These vulnerabilities have been discovered by Google’s Project Zero research team (CVE-2022-2010) and several independent security researchers. David Manouchehri, the researcher who disclosed CVE-2022-2007, received a bug bounty of $10,000. Bug bounties for CVE-2022-2008 and CVE-2022-2011 disclosures are yet to be determined. 

Other than withholding access to bug details until most Chrome users have updated their browsers, the company also stated that it may extend its restrictions if the bug exists in a third-party library that other projects similarly depend on but haven’t been fixed yet.

In the News: Travis CI leaks credentials, including open-source auth tokens

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: