cbcvebase.
CVE-2022-4262
published 2022-12-02

CVE-2022-4262: Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page…

PriorityP186high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-12-26
Exploited in the wild
EPSS
16.11%
96.5th percentile
Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Affected

9 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 108.0.5359.94-1~deb11u1108.0.5359.94-1~deb11u1
chromiumchromium>= 0 < 108.0.5359.94-1108.0.5359.94-1
chromiumchromium>= 0 < 108.0.5359.94-1108.0.5359.94-1
chromiumchromium>= 0 < 108.0.5359.94-1108.0.5359.94-1
debianchromium< chromium 108.0.5359.94-1 (bookworm)chromium 108.0.5359.94-1 (bookworm)
googlechrome< 108.0.5359.94108.0.5359.94
googlechrome>= unspecified < 108.0.5359.94108.0.5359.94
googlechrome_chrome
msrcmicrosoft_edge

Detection & IOCsextracted from sources · hover to see the quote

versionGoogle Chrome < 108.0.5359.94
versionMicrosoft Edge (Chromium-based) 108.0.1462.41 based on Chromium 108.0.5359.94
  • Google confirmed an in-the-wild exploit exists for CVE-2022-4262; treat any unpatched Chrome/Edge/Opera (Chromium-based) instance as actively at risk.
  • The vulnerability could affect multiple Chromium-based browsers beyond Chrome, including Microsoft Edge and Opera; expand detection/patching scope accordingly.
  • CVE-2022-4262 was reported on 2022-11-29 by Clement Lecigne of Google's Threat Analysis Group, indicating it was likely observed in targeted exploitation before public disclosure.
  • ·Google withheld technical details about the vulnerability at time of patch release to limit exploitation spread; specific exploit mechanics were not publicly disclosed.
  • ·CISA mandated remediation by 2022-12-26; organizations still running unpatched Chromium-based browsers should treat this as critically overdue.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.