The bug, tracked as CVE-2022-2856 and rated as high on the Common Vulnerability Scoring System (CVSS), is associated with “insufficient validation of untrusted input in Intents,” according to the advisory posted by Google.

Google credits Ashley Shen and Christian Resell of its Google Threat Analysis Group (TAG) for reporting the zero-day bug, which could allow for arbitrary code execution, on July 19. The advisory also unveiled 10 other patches for various other Chrome issues.

In Chrome, developers need to use their intent string as defined in the document, according to Branch, a company that offers various linking options for mobile applications.

Insufficient validation is associated with input validation, a frequently-used technique for checking potentially dangerous inputs to ensure that they are safe for processing within the code, or when communicating with other components, according to MITRE’s Common Weakness Enumeration site.

Publicizing details on an actively exploited zero-day vulnerability just as a patch becomes available could have dire consequences, because it takes time to roll out security updates to vulnerable systems and attackers are champing at the bit to exploit these types of flaws, observed Satnam Narang, senior staff research engineer at cybersecurity firm Tenable.

Holding back info is also sound given that other Linux distributions and browsers, such as Microsoft Edge, also include code based on Google’s Chromium Project; these all could be affected if an exploit for a vulnerability is released, he said.

FedCM—short for the Federated Credential Management API–provides a use-case-specific abstraction for federated identity flows on the web, according to Google.

The zero-day patch is the fifth Chrome bug under active attack that Google has patched so far this year.

In May, it was a separate buffer overflow flaw, CVE-2022-2294, and under active attack that got slapped with a patch.

In April, Google patched CVE-2022-1364, a type confusion flaw affecting Chrome’s use of the V8 JavaScript engine on which attackers already had pounced. The previous month a separate type-confusion issue in V8, tracked as CVE-2022-1096 and under active attack, also spurred a hasty patch. February saw a fix for the first of this year’s Chrome zero-days, a use-after-free flaw in Chrome’s Animation component tracked as CVE-2022-0609 that already was under attack. Later it was revealed that North Korean hackers were exploiting the flaw weeks before it was discovered and patched.