CVE-2022-2480
published 2022-07-28CVE-2022-2480: Use after free in Service Worker API in Google Chrome prior to 103.0.5060.134 allowed a remote attacker to potentially exploit heap corruption via a crafted…
PriorityP358high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
17.86%
96.8th percentile
Use after free in Service Worker API in Google Chrome prior to 103.0.5060.134 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 103.0.5060.134-1~deb11u1 | 103.0.5060.134-1~deb11u1 |
| chromium | chromium | >= 0 < 103.0.5060.134-1 | 103.0.5060.134-1 |
| chromium | chromium | >= 0 < 103.0.5060.134-1 | 103.0.5060.134-1 |
| chromium | chromium | >= 0 < 103.0.5060.134-1 | 103.0.5060.134-1 |
| debian | chromium | < chromium 103.0.5060.134-1 (bookworm) | chromium 103.0.5060.134-1 (bookworm) |
| chrome | < 103.0.5060.134 | 103.0.5060.134 | |
| chrome | >= unspecified < 103.0.5060.134 | 103.0.5060.134 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Chrome
Long Term Support Channel Update for ChromeOS: CVE-2022-2480
vendor_chrome·2022-08-10·CVSS 8.8
CVE-2022-2480 [HIGH] Long Term Support Channel Update for ChromeOS: CVE-2022-2480
Long Term Support Channel Update for ChromeOS
CVE-2022-2480
Microsoft
Chromium: CVE-2022-2480 Use after free in Service Worker API
vendor_msrc·2022-07-12·CVSS 8.8
CVE-2022-2480 [HIGH] Chromium: CVE-2022-2480 Use after free in Service Worker API
Chromium: CVE-2022-2480 Use after free in Service Worker API
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
FAQ: What is the version information for this release?
Microsoft Edge Version
Date Released
Based on Chromium Version
103.0.1264.71
7/22/2022
103.0.5060.134
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the bro
Debian
CVE-2022-2480: chromium - Use after free in Service Worker API in Google Chrome prior to 103.0.5060.134 al...
vendor_debian·2022·CVSS 8.8
CVE-2022-2480 [HIGH] CVE-2022-2480: chromium - Use after free in Service Worker API in Google Chrome prior to 103.0.5060.134 al...
Use after free in Service Worker API in Google Chrome prior to 103.0.5060.134 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Scope: local
bookworm: resolved (fixed in 103.0.5060.134-1)
bullseye: resolved (fixed in 103.0.5060.134-1~deb11u1)
forky: resolved (fixed in 103.0.5060.134-1)
sid: resolved (fixed in 103.0.5060.134-1)
trixie: resolved (fixed in 103.0.5060.134-1)
GHSA
GHSA-997v-v566-5ff3: Use after free in Service Worker API in Google Chrome prior to 103
ghsa_unreviewed·2022-07-29
CVE-2022-2480 [HIGH] CWE-416 GHSA-997v-v566-5ff3: Use after free in Service Worker API in Google Chrome prior to 103
Use after free in Service Worker API in Google Chrome prior to 103.0.5060.134 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
OSV
CVE-2022-2480: Use after free in Service Worker API in Google Chrome prior to 103
osv·2022-07-28·CVSS 8.8
CVE-2022-2480 [HIGH] CVE-2022-2480: Use after free in Service Worker API in Google Chrome prior to 103
Use after free in Service Worker API in Google Chrome prior to 103.0.5060.134 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/168115/Chrome-content-ServiceWorkerVersion-MaybeTimeoutRequest-Heap-Use-After-Free.htmlhttps://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop_19.htmlhttps://crbug.com/1339844https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PQKT7EGDD2P3L7S3NXEDDRCPK4NNZNWJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YKLJ3B3D5BCVWE3QNP4N7HHF26OHD567/https://security.gentoo.org/glsa/202208-35http://packetstormsecurity.com/files/168115/Chrome-content-ServiceWorkerVersion-MaybeTimeoutRequest-Heap-Use-After-Free.htmlhttps://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop_19.htmlhttps://crbug.com/1339844https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PQKT7EGDD2P3L7S3NXEDDRCPK4NNZNWJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YKLJ3B3D5BCVWE3QNP4N7HHF26OHD567/https://security.gentoo.org/glsa/202208-35
2022-07-28
Published