⚠ Actively exploited
Added to CISA KEV on 2023-03-30. Federal agencies required to patch by 2023-04-20. Required action: Apply updates per vendor instructions..

CVE-2022-3038Use After Free in Google Chrome

CWE-416Use After Free10 documents9 sources
Severity
8.8HIGHNVD
EPSS
36.0%
top 2.90%
CISA KEV
KEV
Added 2023-03-30
Due 2023-04-20
Exploit
Exploited in wild
Active exploitation observed
Affected products
6
Google ChromeChromiumDebian Chromium+3 more
Timeline
PublishedSep 26
KEV addedMar 30
KEV dueApr 20
Latest updateSep 1
CISA Required Action: Apply updates per vendor instructions.

Description

Use after free in Network Service in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages6 packages

CVEListV5google/chromeunspecified105.0.5195.52
NVDgoogle/chrome< 105.0.5195.52
debiandebian/chromium< chromium 105.0.5195.52-1 (bookworm)
Debianchromium/chromium< 105.0.5195.52-1~deb11u1+3

Also affects: Fedora 37

🔴Vulnerability Details

5
Project0
Analyzing a Modern In-the-wild Android Exploit - Project Zero2023-09-01
GHSA
GHSA-r8h7-mp45-wq8g: Use after free in Network Service in Google Chrome prior to 1052022-09-27
OSV
CVE-2022-3038: Use after free in Network Service in Google Chrome prior to 1052022-09-26
VulnCheck
Google Chromium Network Service Use-After-Free Vulnerability2022
Project0
Project Zero RCA: CVE-2022-4262: Incorrect Bytecode Generation by JavaScript Parser

📋Vendor Advisories

4
CISA
Google Chromium Network Service Use-After-Free Vulnerability2023-03-30
Chrome
Long Term Support Channel Update for ChromeOS: CVE-2022-30382022-11-30
Microsoft
Chromium: CVE-2022-3038 Use after free in Network Service2022-09-13
Debian
CVE-2022-3038: chromium - Use after free in Network Service in Google Chrome prior to 105.0.5195.52 allowe...2022