CVE-2022-2856
published 2022-09-26CVE-2022-2856: Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 104.0.5112.101 allowed a remote attacker to arbitrarily browse to a…
PriorityP279medium6.5CVSS 3.1
AVNACLPRNUIRSUCNIHAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-09-08
Exploited in the wild
EPSS
4.49%
90.3th percentile
Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 104.0.5112.101 allowed a remote attacker to arbitrarily browse to a malicious website via a crafted HTML page.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 104.0.5112.101-1~deb11u1 | 104.0.5112.101-1~deb11u1 |
| chromium | chromium | >= 0 < 104.0.5112.101-1 | 104.0.5112.101-1 |
| chromium | chromium | >= 0 < 104.0.5112.101-1 | 104.0.5112.101-1 |
| chromium | chromium | >= 0 < 104.0.5112.101-1 | 104.0.5112.101-1 |
| debian | chromium | < chromium 104.0.5112.101-1 (bookworm) | chromium 104.0.5112.101-1 (bookworm) |
| fedoraproject | fedora | — | — |
| chrome | < 104.0.5112.101 | 104.0.5112.101 | |
| chrome | < 104.0.5112.102 | 104.0.5112.102 | |
| chrome | >= unspecified < 104.0.5112.101 | 104.0.5112.101 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2022-2856 is confirmed exploited in the wild (ITW); prioritize detection of exploitation attempts via crafted HTML pages delivering malicious Android Intent URIs through Chrome/Chromium-based browsers ↗
- →Attack vector is a crafted HTML page that abuses insufficient validation of untrusted input in Chromium Intents on Android; monitor for suspicious intent:// or android-app:// URI schemes in web traffic or HTML content delivered to Android Chrome users ↗
- →Vulnerability affects multiple Chromium-based browsers (Chrome, Microsoft Edge, Opera); scope detection broadly across all Chromium-based browser telemetry on Android, not just Google Chrome ↗
- ·Fixed version for Google Chrome is 104.0.5112.101; any Chrome/Chromium installation below this version on Android should be considered vulnerable and flagged ↗
- ·Debian fixed versions: 104.0.5112.101-1 (bookworm, forky, sid, trixie) and 104.0.5112.101-1~deb11u1 (bullseye); Debian-based Linux systems running older Chromium packages remain vulnerable ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
osv6.5MEDIUM
vulncheck6.5MEDIUM
cisa6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_msrc6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hq6m-mwgx-2pr8: Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 104
ghsa_unreviewed·2022-09-27
CVE-2022-2856 [MEDIUM] CWE-20 GHSA-hq6m-mwgx-2pr8: Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 104
Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 104.0.5112.101 allowed a remote attacker to arbitrarily browse to a malicious website via a crafted HTML page.
OSV
CVE-2022-2856: Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 104
osv·2022-09-26·CVSS 6.5
CVE-2022-2856 [MEDIUM] CVE-2022-2856: Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 104
Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 104.0.5112.101 allowed a remote attacker to arbitrarily browse to a malicious website via a crafted HTML page.
VulnCheck
Google Chromium Intents Insufficient Input Validation Vulnerability
vulncheck·2022·CVSS 6.5
CVE-2022-2856 [MEDIUM] CWE-20 Google Chromium Intents Insufficient Input Validation Vulnerability
Google Chromium Intents Insufficient Input Validation Vulnerability
Google Chromium Intents contains an insufficient validation of untrusted input vulnerability that allows a remote attacker to browse to a malicious website via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Affected: Google Chromium Intents
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://raw.githubusercontent.com/blackorbird/APT_REPORT/master/summary/2023/360_APT_Annual_Research_Report
CISA
Google Chromium Intents Insufficient Input Validation Vulnerability
cisa·2022-08-18·CVSS 6.5
CVE-2022-2856 [MEDIUM] CWE-20 Google Chromium Intents Insufficient Input Validation Vulnerability
Vulnerability: Google Chromium Intents Insufficient Input Validation Vulnerability
Affected: Google Chromium Intents
Google Chromium Intents contains an insufficient validation of untrusted input vulnerability that allows a remote attacker to browse to a malicious website via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Required Action: Apply updates per vendor instructions.
Notes: https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html; https://nvd.nist.gov/vuln/detail/CVE-2022-2856
Remediation Due Date: 2022-09-08
Chrome
Stable Channel Update for Desktop: CVE-2022-2856
vendor_chrome·2022-08-16·CVSS 6.5
CVE-2022-2856 [HIGH] Stable Channel Update for Desktop: CVE-2022-2856
Stable Channel Update for Desktop
CVE-2022-2856: Insufficient validation of untrusted input in Intents. Reported by Ashley Shen and Christian Resell of Google Threat Analysis Group on 2022-07-19 [$NA][ 1329794 ] High CVE-2022-2998: Use after free in Browser Creation
Reported by Sergei Glazunov of Google Project Zero on 2022-05-27 [$3000][ 1338412 ] Medium CVE-2022-2859: Use after free in Chrome OS Shell
Severity: high
Microsoft
Chromium: CVE-2022-2856 Insufficient validation of untrusted input in Intents
vendor_msrc·2022-08-09·CVSS 6.5
CVE-2022-2856 [MEDIUM] Chromium: CVE-2022-2856 Insufficient validation of untrusted input in Intents
Chromium: CVE-2022-2856 Insufficient validation of untrusted input in Intents
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
Google is aware that an exploit for CVE-2022-2856 exists in the wild.
FAQ: What is the version information for this release?
Microsoft Edge Version
Date Released
Based on Chromium Version
104.0.1293.60
8/17/2022
104.0.5112.102/101
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Mi
Debian
CVE-2022-2856: chromium - Insufficient validation of untrusted input in Intents in Google Chrome on Androi...
vendor_debian·2022·CVSS 6.5
CVE-2022-2856 [MEDIUM] CVE-2022-2856: chromium - Insufficient validation of untrusted input in Intents in Google Chrome on Androi...
Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 104.0.5112.101 allowed a remote attacker to arbitrarily browse to a malicious website via a crafted HTML page.
Scope: local
bookworm: resolved (fixed in 104.0.5112.101-1)
bullseye: resolved (fixed in 104.0.5112.101-1~deb11u1)
forky: resolved (fixed in 104.0.5112.101-1)
sid: resolved (fixed in 104.0.5112.101-1)
trixie: resolved (fixed in 104.0.5112.101-1)
No detection rules found.
No public exploits indexed.
arXiv
Vulnerability Management Chaining: An Integrated Framework for Efficient Cybersecurity Risk Prioritization
arxiv_fulltext·2025-07-10
Vulnerability Management Chaining: An Integrated Framework for Efficient Cybersecurity Risk Prioritization
## Abstract
As the number of Common Vulnerabilities and Exposures (CVE) continues to grow exponentially, security teams face increasingly difficult decisions about prioritization. Current approaches using Common Vulnerability Scoring System (CVSS) scores produce overwhelming volumes of high-priority vulnerabilities, while Exploit Prediction Scoring System (EPSS) and Known Exploited Vulnerabilities (KEV) catalog offer valuable but incomplete perspectives on actual exploitation risk. We present Vulnerability Management Chaining, a decision tree framework that systematically integrates these three approaches to achieve efficient vulnerability prioritization. Our framework employs a two-stage evaluation process: first applying threat-based filtering using KEV membership or EPSS threshold 0.08
Qualys
The 9th Google Chrome Zero-Day Threat this Year – Again Just Before the Weekend
blogs_qualys·2022-12-03·CVSS 8.8
CVE-2022-4262 [HIGH] The 9th Google Chrome Zero-Day Threat this Year – Again Just Before the Weekend
## Table of Contents
Organizations respond, but slowly
Qualys Patch Management speeds remediation
Google has released yet another security update for the Chrome desktop web browser to address a high-severity vulnerability that is being exploited in the wild. This is the ninth Chrome zero-day fixed this year by Google. This security bug ( CVE-2022-4262 ; QID 377804 ) is a Type Confusion vulnerability in Chrome’s V8 JavaScript Engine.
Google has withheld details about the vulnerability to prevent expanding its malicious exploitation and to allow users time to apply the security updates necessary on their Chrome installations.
Google’s previous zero-days were also released right before a weekend (see Don’t spend another weekend patching Chrome and Don’t Spend Your Holiday Season Patching
Qualys
September 2022 Patch Tuesday | Microsoft Releases 63 Vulnerabilities With 5 Critical, Plus 16 Microsoft Edge (Chromium-Based); Adobe Releases 7 Advisories, 63 Vulnerabilities With 35 Critical.
blogs_qualys·2022-09-13·CVSS 5.6
[MEDIUM] September 2022 Patch Tuesday | Microsoft Releases 63 Vulnerabilities With 5 Critical, Plus 16 Microsoft Edge (Chromium-Based); Adobe Releases 7 Advisories, 63 Vulnerabilities With 35 Critical.
## Table of Contents
Microsoft Patch Tuesday Summary
The September 2022 Microsoft Vulnerabilities Are Classified As Follows:
Notable Microsoft Vulnerabilities Patched
Zero-Day Vulnerabilities Addressed
Microsoft Important Vulnerability Highlights
Microsoft Edge | Last But Not Least
Adobe Security Bulletins and Advisories
About Qualys Patch Tuesday
Qualys Threat Protection High-Rated Advisories from August to September 2022 Patch Tuesday Advisory
Discover and Prioritize Vulnerabilities in Vulnerability Management Detection Response (VMDR)
Rapid Response With Patch Management (PM)
Evaluate Vendor-Suggested Workarounds With Policy Compliance
Qualys This Month in Vulnerabilities and Patches Webinar Series
Join the Webinar This Month in Vulnerabilities & Patches
NEW & NOTEWORTHY
Qualys
September 2022 Patch Tuesday | Microsoft Releases 63 Vulnerabilities With 5 Critical, Plus 16 Microsoft Edge (Chromium-Based); Adobe Releases 7 Advisories, 63 Vulnerabilities With 35 Critical. | Qualy
blogs_qualys·2022-09-13·CVSS 5.6
[MEDIUM] September 2022 Patch Tuesday | Microsoft Releases 63 Vulnerabilities With 5 Critical, Plus 16 Microsoft Edge (Chromium-Based); Adobe Releases 7 Advisories, 63 Vulnerabilities With 35 Critical. | Qualy
#### Table of Contents
- Microsoft Patch Tuesday Summary
- The September 2022 Microsoft Vulnerabilities Are Classified As Follows:
- Notable Microsoft Vulnerabilities Patched
- Zero-Day Vulnerabilities Addressed
- Microsoft Important Vulnerability Highlights
- Microsoft Edge | Last But Not Least
- Adobe Security Bulletins and Advisories
- About Qualys Patch Tuesday
- Qualys Threat Protection High-Rated Advisories from August to September 2022 Patch Tuesday Advisory
- Discover and Prioritize Vulnerabilities in Vulnerability Management Detection Response (VMDR)
- Rapid Response With Patch Management (PM)
- Evaluate Vendor-Suggested Workarounds With Policy Compliance
- Qualys This Month in Vulnerabilities and Patches Webinar Series
- Join the Webinar This Month in Vulnerabilities & Patches
-
https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.htmlhttps://crbug.com/1345630https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE/https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.htmlhttps://crbug.com/1345630https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-2856
2022-09-26
Published
2022-08-18
Added to CISA KEV
Exploited in the wild