CVE-2022-1364
published 2022-07-26CVE-2022-1364: Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PriorityP183high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-06
Exploited in the wild
EPSS
13.72%
96.0th percentile
Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 100.0.4896.127-1~deb11u1 | 100.0.4896.127-1~deb11u1 |
| chromium | chromium | >= 0 < 100.0.4896.127-1 | 100.0.4896.127-1 |
| chromium | chromium | >= 0 < 100.0.4896.127-1 | 100.0.4896.127-1 |
| chromium | chromium | >= 0 < 100.0.4896.127-1 | 100.0.4896.127-1 |
| debian | chromium | < chromium 100.0.4896.127-1 (bookworm) | chromium 100.0.4896.127-1 (bookworm) |
| chrome | < 100.0.4896.127 | 100.0.4896.127 | |
| chrome | >= unspecified < 100.0.4896.127 | 100.0.4896.127 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2022-1364 is a type confusion vulnerability in V8 Turbofan (JavaScript engine) exploited in the wild via a crafted HTML page, enabling heap corruption; monitor for exploitation attempts delivered through malicious web pages targeting Chrome/Chromium-based browsers prior to version 100.0.4896.127. ↗
- →Google confirmed an in-the-wild exploit exists for CVE-2022-1364; treat any unpatched Chromium-based browser (Chrome, Edge, Opera) as actively at risk and prioritize detection of exploitation via browser telemetry. ↗
- →The vulnerability was reported on 2022-04-13 by Google's Threat Analysis Group (TAG), indicating it was likely used in targeted/nation-state attacks; correlate browser crash telemetry or renderer process anomalies around that date. ↗
- →This vulnerability could affect multiple Chromium-based browsers beyond Chrome, including Microsoft Edge and Opera; broaden detection scope to all Chromium-based browser processes. ↗
- ·Fixed version for Google Chrome is 100.0.4896.127; any Chrome/Chromium instance below this version is vulnerable. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r6mw-9h6p-mxpf: Type confusion in V8 Turbofan in Google Chrome prior to 100
ghsa_unreviewed·2022-07-27
CVE-2022-1364 [HIGH] CWE-843 GHSA-r6mw-9h6p-mxpf: Type confusion in V8 Turbofan in Google Chrome prior to 100
Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
OSV
CVE-2022-1364: Type confusion in V8 Turbofan in Google Chrome prior to 100
osv·2022-07-26·CVSS 8.8
CVE-2022-1364 [HIGH] CVE-2022-1364: Type confusion in V8 Turbofan in Google Chrome prior to 100
Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Project0
2022 0-day In-the-Wild Exploitation…so far - Project Zero
project_zero·2022-06-01·CVSS 8.8
CVE-2016-5128 [HIGH] 2022 0-day In-the-Wild Exploitation…so far - Project Zero
Posted by Maddie Stone, Google Project Zero
This blog post is an overview of a talk, “ 0-day In-the-Wild Exploitation in 2022…so far”, that I gave at the FIRST conference in June 2022. The slides are available here.
For the last three years, we’ve published annual year-in-review reports of 0-days found exploited in the wild. The most recent of these reports is the 2021 Year in Review report, which we published just a few months ago in April. While we plan to stick with that annual cadence, we’re publishing a little bonus report today looking at the in-the-wild 0-days detected and disclosed in the first half of 2022.
As of June 15, 2022, there have been 18 0-days detected and disclosed as exploited in-the-wild in 2022. When we analyzed those 0-days, we found that at least nin
VulnCheck
Google Chromium V8 Type Confusion Vulnerability
vulncheck·2022·CVSS 8.8
CVE-2022-1364 [HIGH] CWE-843 Google Chromium V8 Type Confusion Vulnerability
Google Chromium V8 Type Confusion Vulnerability
Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Affected: Google Chromium V8
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://securelist.com/it-threat-evolution-in-q2-2022-non-mobile-statistics/107133/; https://raw.githubusercontent.com/blackorbird/APT_REPORT/master/summ
Project0
Project Zero RCA: CVE-2022-1364: Inconsistent Object Materialization in V8
project_zero·CVSS 8.8
CVE-2022-1364 [HIGH] Project Zero RCA: CVE-2022-1364: Inconsistent Object Materialization in V8
# CVE-2022-1364: Inconsistent Object Materialization in V8
*Samuel Groß, V8 Security*
## The Basics
**Disclosure or Patch Date:** 14 April 2022
**Product:** Google Chrome
**Advisory:** https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_14.html
**Affected Versions:** 100.0.4896.79 and previous
**First Patched Version:** 100.0.4896.127
**Issue/Bug Report:** https://bugs.chromium.org/p/chromium/issues/detail?id=1315901
**Patch CL:** https://chromium.googlesource.com/v8/v8/+/8081a5ffa7ebdb0e5b35cf63aa0490ad3578b940
**Bug-Introducing CL:** N/A
**Reporter(s):** Clément Lecigne of Google's Threat Analysis Group
## The Code
**Proof-of-concept:**
```javascript
function foo(bug) {
function C(z) {
Error.prepareStackTrace = function(t, B) {
return B[z].getThis(
Chrome
Long Term Support Channel Update: CVE-2022-1139
vendor_chrome·2022-04-28·CVSS 6.5
CVE-2022-1139 [MEDIUM] Long Term Support Channel Update: CVE-2022-1139
Long Term Support Channel Update
CVE-2022-1139: Inappropriate implementation in Background Fetch API 1315901 CVE-2022-1364: Type Confusion in V8. Giuliana Pritchard Google Chrome OS
Severity: medium
CISA
Google Chromium V8 Type Confusion Vulnerability
cisa·2022-04-15·CVSS 8.8
CVE-2022-1364 [HIGH] CWE-843 Google Chromium V8 Type Confusion Vulnerability
Vulnerability: Google Chromium V8 Type Confusion Vulnerability
Affected: Google Chromium V8
Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2022-1364
Remediation Due Date: 2022-05-06
Chrome
Chrome for Android Update: CVE-2022-1364
vendor_chrome·2022-04-14·CVSS 8.8
CVE-2022-1364 [HIGH] Chrome for Android Update: CVE-2022-1364
Chrome for Android Update
CVE-2022-1364: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group on 2022-04-13 We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel
Severity: high
Microsoft
Chromium: CVE-2022-1364: Type Confusion in V8
vendor_msrc·2022-04-12·CVSS 8.8
CVE-2022-1364 [HIGH] Chromium: CVE-2022-1364: Type Confusion in V8
Chromium: CVE-2022-1364: Type Confusion in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
Google is aware that an exploit for CVE-2022-1364 exists in the wild.
FAQ: What is the version information for this release?
Microsoft Edge Version
Date Released
Based on Chromium Version
100.0.1185.44
4/15/2022
100.0.4896.127
100.0.1185.44
4/15/2022
100.0.4896.88
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version o
Debian
CVE-2022-1364: chromium - Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allowed a...
vendor_debian·2022·CVSS 8.8
CVE-2022-1364 [HIGH] CVE-2022-1364: chromium - Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allowed a...
Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Scope: local
bookworm: resolved (fixed in 100.0.4896.127-1)
bullseye: resolved (fixed in 100.0.4896.127-1~deb11u1)
forky: resolved (fixed in 100.0.4896.127-1)
sid: resolved (fixed in 100.0.4896.127-1)
trixie: resolved (fixed in 100.0.4896.127-1)
No detection rules found.
No public exploits indexed.
Tenable
Mind the Gap: A Closer Look at Eight Notable CVEs from 2022
blogs_tenable·2023-05-09
Mind the Gap: A Closer Look at Eight Notable CVEs from 2022
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
The 9th Google Chrome Zero-Day Threat this Year – Again Just Before the Weekend
blogs_qualys·2022-12-03·CVSS 8.8
CVE-2022-4262 [HIGH] The 9th Google Chrome Zero-Day Threat this Year – Again Just Before the Weekend
## Table of Contents
Organizations respond, but slowly
Qualys Patch Management speeds remediation
Google has released yet another security update for the Chrome desktop web browser to address a high-severity vulnerability that is being exploited in the wild. This is the ninth Chrome zero-day fixed this year by Google. This security bug ( CVE-2022-4262 ; QID 377804 ) is a Type Confusion vulnerability in Chrome’s V8 JavaScript Engine.
Google has withheld details about the vulnerability to prevent expanding its malicious exploitation and to allow users time to apply the security updates necessary on their Chrome installations.
Google’s previous zero-days were also released right before a weekend (see Don’t spend another weekend patching Chrome and Don’t Spend Your Holiday Season Patching
Securelist
Non-mobile malware statistics, Q2 2022
blogs_securelist·2022-08-15
Non-mobile malware statistics, Q2 2022
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by criminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q2 2022
- IT threat evolution in Q2 2022. Non-mobile statistics
- IT threat evolution in Q2 2022. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q2 2022:
- Kaspersky solutions blocked 1,164,544,060 attacks from online resources across the globe.
- Web Anti-Virus recognized 273,033,368 unique URLs as malicious. Attempts to run malware fo
Checkpoint
18th April – Threat Intelligence Report
blogs_checkpoint·2022-04-18
CVE-2022-20695 18th April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 18th April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 18th April, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Russian state-sponsored APT actor Sandworm made an attempt to hack into Ukraine’s power grid with the Industroyer2 malware, aiming at taking down multiple infrastructure components. The malware forensic analysis has revealed that the attack had been planned at least two weeks prior to the assault.
Hackers have been targeting
https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_14.htmlhttps://crbug.com/1315901https://security.gentoo.org/glsa/202208-25https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_14.htmlhttps://crbug.com/1315901https://security.gentoo.org/glsa/202208-25https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-1364
2022-07-26
Published
2022-04-15
Added to CISA KEV
Exploited in the wild