Google Releases Emergency Chrome Update to Patch High-Severity Exploit

Google is rolling out an emergency update for Chrome, version 105.0.5195.102, to fix a high-severity zero-day security flaw on Mac, Windows, and Linux — reports BleepingComputer.

A zero-day vulnerability leaves users open to exploits and attacks until it is patched. This particular vulnerability, being tracked as CVE-2022-3075, is caused by insufficient data validation in Mojo, a collection of runtime libraries used by Chrome.

According to Google, the flaw was actively being exploited by attackers in the wild.

“Google is aware of reports that an exploit for CVE-2022-3075 exists in the wild,” the company said in a security advisory published on Friday. The zero-day vulnerability was reported anonymously by a security researcher.

Updating Chrome to the latest available version will patch the vulnerability on your computer. Google Chrome version 105.0.5195.102 was available to download at the time of writing.

To manually check for and install the update, open the Chrome menu (three vertically-aligned dots in the toolbar) and go to Help About Google Chrome. Chrome will check for updates, download any that are available, and prompt you for a restart to install them.

The browser also automatically checks for and installs available updates at launch.

Google said it will not release any technical information on the now-fixed zero-day or its exploits until the patch has made its way to the majority of Chrome’s user base. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” the company said.

“We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”

This is the sixth Chrome zero-day Google has pushed an update to fix so far this year. The company released an emergency Chrome update in July to patch CVE-2022-2294, and another in April to fix CVE-2022-1364. Both of those security holes were also being actively exploited before Google plugged them. There was another vulnerability fixed more recently in August as well.