CVE-2022-26486 An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw.
The issue is triggered when WebGPU is enabled in a site and a malformed message is received by the browser. By sending a malformed message, an attacker can cause the browser to enter a use-after-free condition.
An attacker can exploit this vulnerability by enticing a user to visit a malicious site that hosts WebGPU. The user then receives malformed messages from the site and the use-after-free occurs, which can lead to remote code execution. We have received reports that malformed messages have been received by visiting the following malicious sites: We recommend that users avoid opening messages from untrusted sources.
Vulnerability overview
The WebGPU vulnerability affects all modern browsers and could allow an attacker to execute code on the targeted device.
This vulnerability is triggered when the user receives a malformed message from the browser, which leads to a use-after-free condition.
An attacker can exploit this vulnerability by enticing the user to visit a malicious site that hosts WebGPU and then sends a malformed message. The browser will then enter a use-after-free condition, which can lead to remote code execution.
How do I know if I’m affected by the vulnerability?
The vulnerability is triggered when WebGPU is enabled in a site and a malformed message is received by the browser.
If you are using Chrome, ensure that WebGPU is disabled.
If you are using Firefox, ensure that WebGPU is disabled.
If you are using Safari, ensure that WebGPU is disabled.
What does the update do?
Microsoft has released an update that resolves the vulnerabilities described above.
The update you need to install is KB 3205211.
If you have Automatic Updates enabled, the update will be downloaded and installed automatically. If you have not enabled Automatic Updates on your system, we recommend that you manually download and install this update from Microsoft Update Catalog or from https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26486
How do I know if my browser is vulnerable?
If you are unsure if your browser is affected, you can use a tool to check the status of WebGPU.
This vulnerability was discovered by Natalie Silvanovich and Michal Zalewski from Google Project Zero.
Affected users will receive an error message in their browser. For example, on Microsoft Edge: "Web GPU has been disabled for this website."
Impact of vulnerability:
CVE-2022-26486 is a critical vulnerability that could allow an attacker to exploit the system by sending malformed messages to the browser. A user who visits a malicious website might receive a malformed message that can lead to remote code execution.
Timeline
Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/30/2022 20:55:00 UTC