Google Patches Fifth Chrome Zero-Day of 2022 as Hackers Actively Exploit the Flaw
A flaw in how Chrome handles a mobile-linking feature is being weaponised in real attacks. It's the fifth time this year Google has had to rush out an emergency fix for its browser.

Key points
- Google patched 11 security flaws in Chrome on Wednesday, 17 August 2022, one of which was already being actively exploited by hackers.
- The exploited flaw, tracked as CVE-2022-2856, sits in a Chrome feature called Intents — a system that opens mobile apps directly from a web link.
- Researchers Ashley Shen and Christian Resell, both from Google's own internal security team, reported the bug to Google on 19 July 2022.
- This is the fifth Chrome zero-day — meaning a flaw that was being attacked before Google even knew about it — patched so far in 2022.
- A separate critical bug, CVE-2022-2852, was also fixed in the same update.
Google's Chrome browser, used by roughly two-thirds of people who browse the web, picked up an emergency security patch this week. The patch closes a hole that criminals were already crawling through.
The flaw is catalogued as CVE-2022-2856. In plain terms, it sits inside a Chrome feature called Intents — the mechanism that lets a web link open a specific app on your Android phone directly, skipping the step where you'd have to find and launch the app yourself. Chrome wasn't checking that incoming instructions through this channel were safe before acting on them. Criminals could craft a malicious link that sneaks harmful instructions past that check.
The practical consequence: a successful attack could give a criminal the ability to run any code they want on a victim's device. That is about as bad as it gets.
How worried should everyday Chrome users be?
If your browser has updated itself in the last few days, you are almost certainly already protected. Chrome updates silently in the background for most people. You can confirm you're on a safe version by opening Chrome, clicking the three-dot menu in the top corner, selecting Help, then About Google Chrome — the page will tell you if an update is waiting.
Google is deliberately staying quiet about exactly how the attacks work. That silence is a deliberate tactic. Other browsers — including Microsoft Edge — are built on the same underlying code base, called Chromium, and need time to push their own patches before a detailed recipe for attack becomes public.
Satnam Narang, a researcher at security firm Tenable, told Threatpost that the caution is justified. Attackers, he noted, are ready to move the moment technical details surface, and it takes real time for patches to reach every vulnerable machine.
The same update also fixed a critical-rated bug, CVE-2022-2852, in a Chrome feature called FedCM — short for Federated Credential Management, a system that handles sign-in flows on the web. That bug was reported by Google Project Zero researcher Sergei Glazunov on 8 August 2022.
This year has been punishing for Chrome security. Five zero-days in eight months is a pace that should make anyone running a browser fleet uncomfortable. The failure mode here is predictable: organisations that don't enforce automatic updates leave windows open that hackers measure in hours, not days.
Update Chrome. Do it now, before you finish reading this.



