cbcvebase.
CVE-2022-3075
published 2022-09-26

CVE-2022-3075: Insufficient data validation in Mojo in Google Chrome prior to 105.0.5195.102 allowed a remote attacker who had compromised the renderer process to potentially…

PriorityP185critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-09-29
Exploited in the wild
EPSS
5.68%
92.0th percentile
Insufficient data validation in Mojo in Google Chrome prior to 105.0.5195.102 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

Affected

10 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 105.0.5195.102-1~deb11u1105.0.5195.102-1~deb11u1
chromiumchromium>= 0 < 105.0.5195.102-1105.0.5195.102-1
chromiumchromium>= 0 < 105.0.5195.102-1105.0.5195.102-1
chromiumchromium>= 0 < 105.0.5195.102-1105.0.5195.102-1
debianchromium< chromium 105.0.5195.102-1 (bookworm)chromium 105.0.5195.102-1 (bookworm)
fedoraprojectfedora
googlechrome< 105.0.5195.102105.0.5195.102
googlechrome>= unspecified < 105.0.5195.102105.0.5195.102
googlechrome_chrome
msrcmicrosoft_edge

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2022-3075 is exploited via a crafted HTML page delivered to a renderer-compromised Chrome instance; monitor for sandbox escape attempts originating from Chrome renderer processes
  • The vulnerability resides in the Mojo IPC runtime library within Chromium; focus detection on insufficient data validation in Mojo inter-process communication
  • This vulnerability affects multiple Chromium-based browsers beyond Chrome, including Microsoft Edge and Opera; broaden detection scope accordingly
  • Google Chrome versions prior to 105.0.5195.102 are vulnerable; flag any instances of these older versions in the environment as high-risk
  • ·CVE-2022-3075 was the sixth actively exploited Chrome zero-day of 2022, patched just before a holiday weekend; organizations relying on manual patching cycles may have had extended exposure windows
  • ·CISA mandated remediation by 2022-09-29 per the Known Exploited Vulnerabilities catalog; any unpatched Chromium-based browser after this date represents a compliance and security gap

CVSS provenance

nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
osv9.6CRITICAL
vulncheck9.6CRITICAL
cisa9.6CRITICAL
vendor_debian9.6CRITICAL
vendor_msrc9.6CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.