Type confusion errors, which occur when a resource (e.g., a variable or an object) is accessed using a type that is incompatible with what was originally initialised, could have serious consequences in languages that are not memory-safe like C and C++, allowing a malicious actor to perform out-of-bounds memory access.
Using the wrong type of memory buffer access can result in reading or writing memory outside of the buffer’s bounds if the allocated buffer is smaller than the type to which the code is trying to gain access, according to MITRE’s Common Weakness Enumeration (CWE).
It acknowledged that an exploit for CVE-2022-1096 “exists in the wild,” but did not provide any additional details in order to prevent any further exploitation and until the majority of users have been updated with a fix.
Chrome’s CVE-2022-1096, a use-after-free flaw in the animation component, was patched on February 14th of this year, making it the second zero-day vulnerability Google has addressed in Chrome this year.
TAG recently revealed the details of a North Korean nation-state campaign that used the flaw to attack U.S. businesses in the media, IT, cryptocurrency, and fintech industries, all of which are located in the United States.
Google Chrome users are strongly advised to upgrade to the latest version of 99.0.4844.84 for Windows, Mac, and Linux to protect themselves from any possible threats. As soon as the fixes become available, users of Chromium-based browsers like Opera, Microsoft Edge, and Vivaldi should also apply them.