⚠ Actively exploited
Added to CISA KEV on 2022-08-18. Federal agencies required to patch by 2022-09-08. Required action: Apply updates per vendor instructions..

CVE-2022-2856Improper Input Validation in Google Chrome

CWE-20Improper Input Validation12 documents10 sources
Severity
6.5MEDIUMNVD
EPSS
5.1%
top 10.14%
CISA KEV
KEV
Added 2022-08-18
Due 2022-09-08
Exploit
Exploited in wild
Active exploitation observed
Affected products
6
Google ChromeChromiumDebian Chromium+3 more
Timeline
KEV addedAug 18
KEV dueSep 8
PublishedSep 26
Latest updateJul 10
CISA Required Action: Apply updates per vendor instructions.

Description

Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 104.0.5112.101 allowed a remote attacker to arbitrarily browse to a malicious website via a crafted HTML page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages6 packages

CVEListV5google/chromeunspecified104.0.5112.101
NVDgoogle/chrome< 104.0.5112.101+1
debiandebian/chromium< chromium 104.0.5112.101-1 (bookworm)
Debianchromium/chromium< 104.0.5112.101-1~deb11u1+3

Also affects: Fedora 37

Patches

Patch: chromereleases.googleblog.comPatch: chromereleases.googleblog.com

🔴Vulnerability Details

3
GHSA
GHSA-hq6m-mwgx-2pr8: Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 1042022-09-27
OSV
CVE-2022-2856: Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 1042022-09-26
VulnCheck
Google Chromium Intents Insufficient Input Validation Vulnerability2022

📋Vendor Advisories

4
CISA
Google Chromium Intents Insufficient Input Validation Vulnerability2022-08-18
Chrome
Stable Channel Update for Desktop: CVE-2022-28562022-08-16
Microsoft
Chromium: CVE-2022-2856 Insufficient validation of untrusted input in Intents2022-08-09
Debian
CVE-2022-2856: chromium - Insufficient validation of untrusted input in Intents in Google Chrome on Androi...2022

🕵️Threat Intelligence

3
Qualys
The 9th Google Chrome Zero-Day Threat this Year – Again Just Before the Weekend2022-12-03
Qualys
September 2022 Patch Tuesday | Microsoft Releases 63 Vulnerabilities With 5 Critical, Plus 16 Microsoft Edge (Chromium-Based); Adobe Releases 7 Advisories, 63 Vulnerabilities With 35 Critical.2022-09-13
Qualys
September 2022 Patch Tuesday | Microsoft Releases 63 Vulnerabilities With 5 Critical, Plus 16 Microsoft Edge (Chromium-Based); Adobe Releases 7 Advisories, 63 Vulnerabilities With 35 Critical. | Qualy2022-09-13

📄Research Papers

1
arXiv
Vulnerability Management Chaining: An Integrated Framework for Efficient Cybersecurity Risk Prioritization2025-07-10