CVE-2022-3052 Heap buffer overflow in the Window Manager in Google Chrome on Chrome OS prior to 105.0.5195.52 allowed a remote attacker to potentially exploit heap corruption via specific UI interactions.
This issue did not affect systems where Lacrosse was not installed. Google Chrome prior to 105.0.5195.52 on Pixel devices allowed remote attackers to potentially exploit heap corruption via crafted UI interactions. This issue was fixed in Google Chrome 105.0.5195.52. Google Chrome prior to 105.0.15 -- codenamed Lacrosse -- enabled the heap to be used from local file system objects; however, certain types of object existed in the heap that were not allowed to be there. This issue was fixed in Google Chrome 105.0.15. Google Chrome prior to 105.0.1 -- codenamed Lively -- incorrectly allowed manipulation of local file system objects in the heap. This issue was fixed in Google Chrome 105.0.1. Google Chrome prior to 105.0.0 -- codenamed Skeleton -- did not properly restrict manipulation of local files in the heap. This issue was fixed in Google Chrome 105.0.0.
Google Chrome 104 .x.x
Google Chrome prior to 104.0.1 -- codenamed Moxie -- had an out-of-bound read in the V8 JavaScript engine, which allowed remote attackers to cause a denial of service (GPU process outage) via crafted HTML. This issue was fixed in Google Chrome 104.0.1.
Google Chrome 104.0.2
Google Chrome 104.0.2 was released to address two vulnerabilities:
CVE-2019-11782: A use after free in V8 allowed the execution of arbitrary code
CVE-2022-3052: Memory corruption in V8 allowed the execution of arbitrary code
These vulnerabilities were addressed through improved input validation.
Credit
Card Information Stolen in Google Chrome
Credit card information for more than 200,000 customers was stolen from their Google accounts by a threat actor. This issue was not related to the vulnerability described by CVE-2022-3052.
Microsoft Internet Explorer
10 on Windows 7
Microsoft Internet Explorer 9 and 10 on Windows 7 (32-bit) incorrectly validate X.509 certificates. This could allow a user to spoof content or perform phishing attacks.
Timeline
Published on: 09/26/2022 16:15:00 UTC
Last modified on: 10/03/2022 02:15:00 UTC
References
- https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_30.html
- https://crbug.com/1346154
- https://security.gentoo.org/glsa/202209-23
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE/
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3052