⚠ Actively exploited
Added to CISA KEV on 2022-09-08. Federal agencies required to patch by 2022-09-29. Required action: Apply updates per vendor instructions..

CVE-2022-3075Improper Input Validation in Google Chrome

CWE-20Improper Input Validation15 documents10 sources
Severity
9.6CRITICALNVD
EPSS
2.1%
top 15.84%
CISA KEV
KEV
Added 2022-09-08
Due 2022-09-29
Exploit
Exploited in wild
Active exploitation observed
Affected products
6
Google ChromeChromiumDebian Chromium+3 more
Timeline
KEV addedSep 8
PublishedSep 26
KEV dueSep 29
Latest updateDec 3
CISA Required Action: Apply updates per vendor instructions.

Description

Insufficient data validation in Mojo in Google Chrome prior to 105.0.5195.102 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 2.8 | Impact: 6.0

Affected Packages6 packages

CVEListV5google/chromeunspecified105.0.5195.102
NVDgoogle/chrome< 105.0.5195.102
debiandebian/chromium< chromium 105.0.5195.102-1 (bookworm)
Debianchromium/chromium< 105.0.5195.102-1~deb11u1+3

Also affects: Fedora 37

🔴Vulnerability Details

3
GHSA
GHSA-7ch3-c534-49jq: Insufficient data validation in Mojo in Google Chrome prior to 1052022-09-27
OSV
CVE-2022-3075: Insufficient data validation in Mojo in Google Chrome prior to 1052022-09-26
VulnCheck
Google Chromium Mojo Insufficient Data Validation Vulnerability2022

📋Vendor Advisories

4
Microsoft
Chromium: CVE-2022-3075 Insufficient data validation in Mojo2022-09-13
Chrome
Long Term Support Candidate Channel for ChromeOS: CVE-2022-30752022-09-09
CISA
Google Chromium Mojo Insufficient Data Validation Vulnerability2022-09-08
Debian
CVE-2022-3075: chromium - Insufficient data validation in Mojo in Google Chrome prior to 105.0.5195.102 al...2022

🕵️Threat Intelligence

7
Qualys
The 9th Google Chrome Zero-Day Threat this Year – Again Just Before the Weekend2022-12-03
Securelist
IT threat evolution in Q3 2022. Non-mobile statistics2022-11-18
Securelist
PC malware statistics, Q3 20222022-11-18
Qualys
September 2022 Patch Tuesday | Microsoft Releases 63 Vulnerabilities With 5 Critical, Plus 16 Microsoft Edge (Chromium-Based); Adobe Releases 7 Advisories, 63 Vulnerabilities With 35 Critical.2022-09-13
Qualys
September 2022 Patch Tuesday | Microsoft Releases 63 Vulnerabilities With 5 Critical, Plus 16 Microsoft Edge (Chromium-Based); Adobe Releases 7 Advisories, 63 Vulnerabilities With 35 Critical. | Qualy2022-09-13