Hearing in the news about the recent zero-day CVE-2022-1096 exploit in chromium, we are wondering how large a risk this is to users of JCEF ?
Since CVE-2022-1096 was published I can see 4 commits in the cef repository updating to a more recent chromium version have been committed, so I assume this is a work in progress and a jcef update may follow but there is no mention anywhere in the cef/jcef forums so I hope you don't mind me asking, is there a JCEF update upcoming to fix CVE-2022-1096 ?
some info from avertium.com :
On March 23, 2022, Google was alerted about a dangerous zero-day vulnerability found in all Chromium based browsers. An anonymous sender discovered the vulnerability, which is being tracked as CVE-2022-1096. The bug is a type confusion vulnerability and is currently being exploited by threat actors in the wild – making all Chromium based browsers vulnerable to attacks. The browsers included are: Microsoft’s Edge, Amazon Silk, Brave, Opera, Samsung Internet, Vivaldi, and Yandex.
CVE-2022-1096 affects 2 billion users and the threat level is rated “high” by Google. The vulnerability is a type confusion weakness located in the Chrome V8 JavaScript and WebAssembly engine. This flaw allows threat actors to execute arbitrary code on victim devices and allows the threat actor to trick Chrome into running malicious code. V8 is a component within Chrome that processes JavaScript, which is the engine that’s at the heart of Chrome.