A user-after-free vulnerability is when an application or system reuses freed memory space. Let’s take the following example:
Memory is allocated to Pointer A > Pointer A then frees up the memory. This freed up memory is allocated to Pointer B by the system. At this stage someone can use Pointer A to reference the memory space which causes the memory space to become corrupted. If the attack is planned right and points to shellcode, an attacker can execute arbitrary code on the target system.
Five of the eight vulnerabilities addressed in Chrome version 98.0.4758.102 are use-after-free in different components of the browser, but only one has be identified as having a working exploit in the wild. With the large footprint that Chrome has these vulnerabilities, if left unpatched could represent a significant threat to security, not exactly what you want to see.
Browser vulnerabilities are a great attack vector and are often used by initial access groups to build on their hoard of zombies and bots. They are also well used in targeted attacks and rank up there with all the fun macro vulnerabilities found in Microsoft Office Products.
Although this is the first 0-Day that Google has identified and addressed in 2022, it is certainly not the first that we have seen hit the internet making 2022 a busy year and we are just in the 2nd month. Google announced and patched a total of 17 zero-days in 2021, I wonder if they will top that number this year?
Happy patching.