cbcvebase.
CVE-2022-1364
published 2022-07-26

CVE-2022-1364: Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

PriorityP183high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-06
Exploited in the wild
EPSS
13.72%
96.0th percentile
Type confusion in V8 Turbofan in Google Chrome prior to 100.0.4896.127 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Affected

9 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 100.0.4896.127-1~deb11u1100.0.4896.127-1~deb11u1
chromiumchromium>= 0 < 100.0.4896.127-1100.0.4896.127-1
chromiumchromium>= 0 < 100.0.4896.127-1100.0.4896.127-1
chromiumchromium>= 0 < 100.0.4896.127-1100.0.4896.127-1
debianchromium< chromium 100.0.4896.127-1 (bookworm)chromium 100.0.4896.127-1 (bookworm)
googlechrome< 100.0.4896.127100.0.4896.127
googlechrome>= unspecified < 100.0.4896.127100.0.4896.127
googlechrome_chrome
msrcmicrosoft_edge

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2022-1364 is a type confusion vulnerability in V8 Turbofan (JavaScript engine) exploited in the wild via a crafted HTML page, enabling heap corruption; monitor for exploitation attempts delivered through malicious web pages targeting Chrome/Chromium-based browsers prior to version 100.0.4896.127.
  • Google confirmed an in-the-wild exploit exists for CVE-2022-1364; treat any unpatched Chromium-based browser (Chrome, Edge, Opera) as actively at risk and prioritize detection of exploitation via browser telemetry.
  • The vulnerability was reported on 2022-04-13 by Google's Threat Analysis Group (TAG), indicating it was likely used in targeted/nation-state attacks; correlate browser crash telemetry or renderer process anomalies around that date.
  • This vulnerability could affect multiple Chromium-based browsers beyond Chrome, including Microsoft Edge and Opera; broaden detection scope to all Chromium-based browser processes.
  • ·Fixed version for Google Chrome is 100.0.4896.127; any Chrome/Chromium instance below this version is vulnerable.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.