Google is Rolling Out an Emergency Chrome Update to Fix a Zero-Day Vulnerability

Google is rolling out version 99.0.4844.84 of its Chrome browser for Windows, Mac, and Linux as an emergency update to patch a high-severity zero-day vulnerability — reports BleepingComputer.

According to Google, the zero-day bug, being tracked as CVE-2022-1096, is being actively exploited in the wild. “Google is aware that an exploit for CVE-2022-1096 exists in the wild,” the tech giant said in a security advisory published on Friday.

CVE-2022-1096 is a high-severity type confusion weakness in the Chrome V8 JavaScript engine. When exploited, the vulnerability generally causes browser crashes but bad actors can also use it to execute malicious code on target devices.

Chrome version 99.0.4844.84 is already rolling out across the globe with a fix for the exploit, but Google expects it may be a few weeks before it reaches the entire userbase.

The update had already been installed when iPhone in Canada checked for available updates in Chrome.

To manually check for and install the update, open the Chrome menu (three vertically-aligned dots in the toolbar) and go to Help > About Google Chrome. Chrome will check for updates, and you can install any that are available. The browser will also automatically check for and install any available updates at launch.

Google said it detected attacks exploiting CVE-2022-1096 in the wild, but the company won’t share further details until most users are inoculated against the vulnerability.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” said Google. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”

This is the second time Google has addressed a Chrome zero-day this year, with the tech giant having patched another one (tracked as CVE-2022-0609) last month.

According to the Google Threat Analysis Group (TAG), North Korean-backed state hackers exploited the CVE-2022-0609 zero-day vulnerability weeks before the February patch. The earliest attacks that actively exploited the weakness were found on January 4, 2022.

Google also released an emergency Chrome update back in September 2021 to fix seven severe vulnerabilities. Last month, Google updated the Chrome logo for the first time since 2014.