CVE-2022-3075
published 2022-09-26CVE-2022-3075: Insufficient data validation in Mojo in Google Chrome prior to 105.0.5195.102 allowed a remote attacker who had compromised the renderer process to potentially…
PriorityP185critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-09-29
Exploited in the wild
EPSS
5.68%
92.0th percentile
Insufficient data validation in Mojo in Google Chrome prior to 105.0.5195.102 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 105.0.5195.102-1~deb11u1 | 105.0.5195.102-1~deb11u1 |
| chromium | chromium | >= 0 < 105.0.5195.102-1 | 105.0.5195.102-1 |
| chromium | chromium | >= 0 < 105.0.5195.102-1 | 105.0.5195.102-1 |
| chromium | chromium | >= 0 < 105.0.5195.102-1 | 105.0.5195.102-1 |
| debian | chromium | < chromium 105.0.5195.102-1 (bookworm) | chromium 105.0.5195.102-1 (bookworm) |
| fedoraproject | fedora | — | — |
| chrome | < 105.0.5195.102 | 105.0.5195.102 | |
| chrome | >= unspecified < 105.0.5195.102 | 105.0.5195.102 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2022-3075 is exploited via a crafted HTML page delivered to a renderer-compromised Chrome instance; monitor for sandbox escape attempts originating from Chrome renderer processes ↗
- →The vulnerability resides in the Mojo IPC runtime library within Chromium; focus detection on insufficient data validation in Mojo inter-process communication ↗
- →This vulnerability affects multiple Chromium-based browsers beyond Chrome, including Microsoft Edge and Opera; broaden detection scope accordingly ↗
- →Google Chrome versions prior to 105.0.5195.102 are vulnerable; flag any instances of these older versions in the environment as high-risk ↗
- ·CVE-2022-3075 was the sixth actively exploited Chrome zero-day of 2022, patched just before a holiday weekend; organizations relying on manual patching cycles may have had extended exposure windows ↗
- ·CISA mandated remediation by 2022-09-29 per the Known Exploited Vulnerabilities catalog; any unpatched Chromium-based browser after this date represents a compliance and security gap ↗
CVSS provenance
nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
osv9.6CRITICAL
vulncheck9.6CRITICAL
cisa9.6CRITICAL
vendor_debian9.6CRITICAL
vendor_msrc9.6CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Chromium: CVE-2022-3075 Insufficient data validation in Mojo
vendor_msrc·2022-09-13·CVSS 9.6
CVE-2022-3075 [CRITICAL] Chromium: CVE-2022-3075 Insufficient data validation in Mojo
Chromium: CVE-2022-3075 Insufficient data validation in Mojo
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
Google is aware of reportsrts that an exploit for CVE-2022-3075 exists in the wild.
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the browser?
In your Microsoft Edge browser, click on the 3 dots (...) on the very ri
Chrome
Long Term Support Candidate Channel for ChromeOS: CVE-2022-3075
vendor_chrome·2022-09-09·CVSS 9.6
CVE-2022-3075 [CRITICAL] Long Term Support Candidate Channel for ChromeOS: CVE-2022-3075
Long Term Support Candidate Channel for ChromeOS
CVE-2022-3075
CISA
Google Chromium Mojo Insufficient Data Validation Vulnerability
cisa·2022-09-08·CVSS 9.6
CVE-2022-3075 [CRITICAL] CWE-20 Google Chromium Mojo Insufficient Data Validation Vulnerability
Vulnerability: Google Chromium Mojo Insufficient Data Validation Vulnerability
Affected: Google Chromium Mojo
Google Chromium Mojo contains an insufficient data validation vulnerability that allows a remote attacker, who has compromised the renderer process, to potentially perform a sandbox escape via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Required Action: Apply updates per vendor instructions.
Notes: https://chromereleases.googleblog.com/2022/09/stable-channel-update-for-desktop.html, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3075; https://nvd.nist.gov/vuln/detail/CVE-2022-3075
Remediation Due Date: 2022-09-29
Debian
CVE-2022-3075: chromium - Insufficient data validation in Mojo in Google Chrome prior to 105.0.5195.102 al...
vendor_debian·2022·CVSS 9.6
CVE-2022-3075 [CRITICAL] CVE-2022-3075: chromium - Insufficient data validation in Mojo in Google Chrome prior to 105.0.5195.102 al...
Insufficient data validation in Mojo in Google Chrome prior to 105.0.5195.102 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
Scope: local
bookworm: resolved (fixed in 105.0.5195.102-1)
bullseye: resolved (fixed in 105.0.5195.102-1~deb11u1)
forky: resolved (fixed in 105.0.5195.102-1)
sid: resolved (fixed in 105.0.5195.102-1)
trixie: resolved (fixed in 105.0.5195.102-1)
GHSA
GHSA-7ch3-c534-49jq: Insufficient data validation in Mojo in Google Chrome prior to 105
ghsa_unreviewed·2022-09-27
CVE-2022-3075 [CRITICAL] CWE-20 GHSA-7ch3-c534-49jq: Insufficient data validation in Mojo in Google Chrome prior to 105
Insufficient data validation in Mojo in Google Chrome prior to 105.0.5195.102 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
OSV
CVE-2022-3075: Insufficient data validation in Mojo in Google Chrome prior to 105
osv·2022-09-26·CVSS 9.6
CVE-2022-3075 [CRITICAL] CVE-2022-3075: Insufficient data validation in Mojo in Google Chrome prior to 105
Insufficient data validation in Mojo in Google Chrome prior to 105.0.5195.102 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
VulnCheck
Google Chromium Mojo Insufficient Data Validation Vulnerability
vulncheck·2022·CVSS 9.6
CVE-2022-3075 [CRITICAL] CWE-20 Google Chromium Mojo Insufficient Data Validation Vulnerability
Google Chromium Mojo Insufficient Data Validation Vulnerability
Google Chromium Mojo contains an insufficient data validation vulnerability that allows a remote attacker, who has compromised the renderer process, to potentially perform a sandbox escape via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Affected: Google Chromium Mojo
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://raw.githubusercontent.com/blackorbird/APT_REPORT/master/summary/2023/360_
No detection rules found.
No public exploits indexed.
Qualys
The 9th Google Chrome Zero-Day Threat this Year – Again Just Before the Weekend
blogs_qualys·2022-12-03·CVSS 8.8
CVE-2022-4262 [HIGH] The 9th Google Chrome Zero-Day Threat this Year – Again Just Before the Weekend
## Table of Contents
Organizations respond, but slowly
Qualys Patch Management speeds remediation
Google has released yet another security update for the Chrome desktop web browser to address a high-severity vulnerability that is being exploited in the wild. This is the ninth Chrome zero-day fixed this year by Google. This security bug ( CVE-2022-4262 ; QID 377804 ) is a Type Confusion vulnerability in Chrome’s V8 JavaScript Engine.
Google has withheld details about the vulnerability to prevent expanding its malicious exploitation and to allow users time to apply the security updates necessary on their Chrome installations.
Google’s previous zero-days were also released right before a weekend (see Don’t spend another weekend patching Chrome and Don’t Spend Your Holiday Season Patching
Securelist
IT threat evolution in Q3 2022. Non-mobile statistics
blogs_securelist·2022-11-18
IT threat evolution in Q3 2022. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Number of users attacked by banking malware
TOP 10 banking malware families
Geography of financial malware attacks
Ransomware programs
Quarterly trends and highlights
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used by criminals during cyberattacks
Quarterly highlights
Vulnerability statistics
Attacks on macOS
TOP 20 threats for macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks via web resources
Countries and territories that serve as sources of web-ba
Securelist
PC malware statistics, Q3 2022
blogs_securelist·2022-11-18
PC malware statistics, Q3 2022
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by criminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q3 2022
- IT threat evolution in Q3 2022. Non-mobile statistics
- IT threat evolution in Q3 2022. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q3 2022:
- Kaspersky solutions blocked 956,074,958 attacks from online resources across the globe.
- Web Anti-Virus recognized 251,288,987 unique URLs as malicious.
- Attempts to run malware fo
Qualys
September 2022 Patch Tuesday | Microsoft Releases 63 Vulnerabilities With 5 Critical, Plus 16 Microsoft Edge (Chromium-Based); Adobe Releases 7 Advisories, 63 Vulnerabilities With 35 Critical.
blogs_qualys·2022-09-13·CVSS 5.6
[MEDIUM] September 2022 Patch Tuesday | Microsoft Releases 63 Vulnerabilities With 5 Critical, Plus 16 Microsoft Edge (Chromium-Based); Adobe Releases 7 Advisories, 63 Vulnerabilities With 35 Critical.
## Table of Contents
Microsoft Patch Tuesday Summary
The September 2022 Microsoft Vulnerabilities Are Classified As Follows:
Notable Microsoft Vulnerabilities Patched
Zero-Day Vulnerabilities Addressed
Microsoft Important Vulnerability Highlights
Microsoft Edge | Last But Not Least
Adobe Security Bulletins and Advisories
About Qualys Patch Tuesday
Qualys Threat Protection High-Rated Advisories from August to September 2022 Patch Tuesday Advisory
Discover and Prioritize Vulnerabilities in Vulnerability Management Detection Response (VMDR)
Rapid Response With Patch Management (PM)
Evaluate Vendor-Suggested Workarounds With Policy Compliance
Qualys This Month in Vulnerabilities and Patches Webinar Series
Join the Webinar This Month in Vulnerabilities & Patches
NEW & NOTEWORTHY
Qualys
September 2022 Patch Tuesday | Microsoft Releases 63 Vulnerabilities With 5 Critical, Plus 16 Microsoft Edge (Chromium-Based); Adobe Releases 7 Advisories, 63 Vulnerabilities With 35 Critical. | Qualy
blogs_qualys·2022-09-13·CVSS 5.6
[MEDIUM] September 2022 Patch Tuesday | Microsoft Releases 63 Vulnerabilities With 5 Critical, Plus 16 Microsoft Edge (Chromium-Based); Adobe Releases 7 Advisories, 63 Vulnerabilities With 35 Critical. | Qualy
#### Table of Contents
- Microsoft Patch Tuesday Summary
- The September 2022 Microsoft Vulnerabilities Are Classified As Follows:
- Notable Microsoft Vulnerabilities Patched
- Zero-Day Vulnerabilities Addressed
- Microsoft Important Vulnerability Highlights
- Microsoft Edge | Last But Not Least
- Adobe Security Bulletins and Advisories
- About Qualys Patch Tuesday
- Qualys Threat Protection High-Rated Advisories from August to September 2022 Patch Tuesday Advisory
- Discover and Prioritize Vulnerabilities in Vulnerability Management Detection Response (VMDR)
- Rapid Response With Patch Management (PM)
- Evaluate Vendor-Suggested Workarounds With Policy Compliance
- Qualys This Month in Vulnerabilities and Patches Webinar Series
- Join the Webinar This Month in Vulnerabilities & Patches
-
Qualys
Let Smart Automation Reduce the Risk of Zero-Day Attacks on Third-Party Applications
blogs_qualys·2022-09-08·CVSS 9.6
CVE-2022-3075 [CRITICAL] Let Smart Automation Reduce the Risk of Zero-Day Attacks on Third-Party Applications
## Table of Contents
How Smart Automation Reduces Zero-Day Risks
Using Qualys and Zero-Touch Patching to Reduce Risk
Leveraging the Auto Update Feature for Chrome and Other Third-Party Applications
Last week, Google released yet another zero-day patch for its Chrome browser to fix a high-severity flaw that was already being exploited. That vulnerability ( CVE-2022-3075) is the sixth actively exploited zero-day found in Chrome this year. While users are grateful for the urgent patch, it was released just before the Labor Day weekend when many IT and Cybersecurity staffers were on vacation and unable to respond to the vulnerability in a timely manner.
This event highlights the importance of responding quickly to the ever-growing volume of vulnerabilities introduced to your organization’
Qualys
Let Smart Automation Reduce the Risk of Zero-Day Attacks on Third-Party Applications | Qualys
blogs_qualys·2022-09-08·CVSS 9.6
CVE-2022-3075 [CRITICAL] Let Smart Automation Reduce the Risk of Zero-Day Attacks on Third-Party Applications | Qualys
#### Table of Contents
- How Smart Automation Reduces Zero-Day Risks
- Using Qualys and Zero-Touch Patching to Reduce Risk
- Leveraging the Auto Update Feature for Chrome and Other Third-Party Applications
Last week, Google released yet another zero-day patch for its Chrome browser to fix a high-severity flaw that was already being exploited. That vulnerability (CVE-2022-3075) is the sixth actively exploited zero-day found in Chrome this year. While users are grateful for the urgent patch, it was released just before the Labor Day weekend when many IT and Cybersecurity staffers were on vacation and unable to respond to the vulnerability in a timely manner.
This event highlights the importance of responding quickly to the ever-growing volume of vulnerabilities introduced to your organiza
Checkpoint
05th September – Threat Intelligence Report
blogs_checkpoint·2022-09-05
CVE-2022-3075 05th September – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 05th September – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 05th September, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
The Portuguese airline company TAP Air Portugal was the victim of an alleged ransomware attack launched by the Ragnar Locker ransomware gang. The airline company reported that the attack was blocked and that no unauthorized access was made to customer data, yet certain functionalities of the app and the website were i
https://chromereleases.googleblog.com/2022/09/stable-channel-update-for-desktop.htmlhttps://crbug.com/1358134https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE/https://security.gentoo.org/glsa/202209-23https://chromereleases.googleblog.com/2022/09/stable-channel-update-for-desktop.htmlhttps://crbug.com/1358134https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4NMJURTG5RO3TGD7ZMIQ6Z4ZZ3SAVYE/https://security.gentoo.org/glsa/202209-23https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-3075
2022-09-26
Published
2022-09-08
Added to CISA KEV
Exploited in the wild