Chrome browser

Patch now! Google Chrome’s GPU code has a zero-day

Google has released a security update for the Chrome browser to patch a high severity vulnerability that’s being used in the wild.

Chome’s Stable channel, the home of official releases, has been updated to 107.0.5304.121 for Mac and Linux and 107.0.5304.121/.122 for Windows, which will roll out over the coming days/weeks.


Chrome users should ensure they are running the latest versions of the browser.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. However, you can end up lagging behind the most recent version if you never close the browser, or if something goes wrong—such as an extension stopping the update.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerability. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

updated Chrome screen

After the update the version should be 107.0.5304.121 or later.

If you are using another Chromium based browser, such as Edge or Brave, there is a good chance these will need an update soon too.


Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The vulnerability patched in this update is listed as CVE-2022-4135.

The bug is described as a a heap buffer overflow in Chrome’s GPU code that could allow a remote attacker to perform a sandbox escape via a crafted HTML page.

Let’s try to break that down:

A buffer overflow is a type of flaw that exists when computer code exceeds its intended memory allocation. When it goes past its boundary it writes into an adjacent memory area being used by something else, and modifies how that something else behaves. Often this results in program crashes or denial of service, but attackers can also use buffer overflows to run malicious code. Two common areas that are targeted for overflows are the stack and the heap.

The Chrome GPU process is used to handle graphics and visual processing. Every page viewed in Google Chrome is rendered in a “sandbox“, a mechanism that isolates it from the rest of the computer and prevents malicious web content from affecting anything outside the browser tab, such as the files on your computer. In a sandbox escape, an attacker has found a way to escape the confines of the sandbox and reach the system beyond it.

Google does not provide any details about vulnerabilities until everyone has had ample opportunity to install its patches. But it did reveal that it is aware that an exploit for CVE-2022-4135 exists in the wild.

Stay safe, everyone!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.