CVE-2022-0456
published 2022-04-05CVE-2022-0456: Use after free in Web Search in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to potentially exploit heap corruption via profile destruction.
PriorityP275high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.73%
49.6th percentile
Use after free in Web Search in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to potentially exploit heap corruption via profile destruction.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 98.0.4758.80-1~deb11u1 | 98.0.4758.80-1~deb11u1 |
| chromium | chromium | >= 0 < 98.0.4758.80-1 | 98.0.4758.80-1 |
| chromium | chromium | >= 0 < 98.0.4758.80-1 | 98.0.4758.80-1 |
| chromium | chromium | >= 0 < 98.0.4758.80-1 | 98.0.4758.80-1 |
| debian | chromium | < chromium 98.0.4758.80-1 (bookworm) | chromium 98.0.4758.80-1 (bookworm) |
| chrome | < 98.0.4758.80 | 98.0.4758.80 | |
| chrome | >= unspecified < 98.0.4758.80 | 98.0.4758.80 | |
| msrc | microsoft_edge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability exists in Google Chrome versions prior to 98.0.4758.80; detect outdated Chrome installations below this version as potentially exploitable via CVE-2022-0456 ↗
- ·The vulnerability is triggered via profile destruction in the Web Search component; exploitation requires interaction with the browser profile lifecycle, limiting remote exploitation surface ↗
- ·Debian scoped this as 'local' scope despite NVD describing a remote attacker vector; detection strategies should account for both local and remote exploitation scenarios ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vulncheck8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2hq5-5vh4-f96j: Use after free in Web Search in Google Chrome prior to 98
ghsa_unreviewed·2022-04-06
CVE-2022-0456 [HIGH] CWE-416 GHSA-2hq5-5vh4-f96j: Use after free in Web Search in Google Chrome prior to 98
Use after free in Web Search in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to potentially exploit heap corruption via profile destruction.
OSV
CVE-2022-0456: Use after free in Web Search in Google Chrome prior to 98
osv·2022-04-05·CVSS 8.8
CVE-2022-0456 [HIGH] CVE-2022-0456: Use after free in Web Search in Google Chrome prior to 98
Use after free in Web Search in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to potentially exploit heap corruption via profile destruction.
VulnCheck
Google Chrome Use After Free
vulncheck·2022·CVSS 8.8
CVE-2022-0456 [HIGH] Google Chrome Use After Free
Google Chrome Use After Free
Use after free in Web Search in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to potentially exploit heap corruption via profile destruction.
Affected: Google Chrome
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.group-ib.com/resources/research-hub/hi-tech-crime-trends-2022/
Microsoft
Chromium: CVE-2022-0456 Use after free in Web Search
vendor_msrc·2022-02-08·CVSS 8.8
CVE-2022-0456 [HIGH] Chromium: CVE-2022-0456 Use after free in Web Search
Chromium: CVE-2022-0456 Use after free in Web Search
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ: What is the version information for this release?
Microsoft Edge Version
Date Released
Based on Chromium Version
98.0.1108.43
2/3/2022
98.0.4758.80
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the browser?
In yo
Debian
CVE-2022-0456: chromium - Use after free in Web Search in Google Chrome prior to 98.0.4758.80 allowed a re...
vendor_debian·2022·CVSS 8.8
CVE-2022-0456 [HIGH] CVE-2022-0456: chromium - Use after free in Web Search in Google Chrome prior to 98.0.4758.80 allowed a re...
Use after free in Web Search in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to potentially exploit heap corruption via profile destruction.
Scope: local
bookworm: resolved (fixed in 98.0.4758.80-1)
bullseye: resolved (fixed in 98.0.4758.80-1~deb11u1)
forky: resolved (fixed in 98.0.4758.80-1)
sid: resolved (fixed in 98.0.4758.80-1)
trixie: resolved (fixed in 98.0.4758.80-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-04-05
Published
Exploited in the wild