CVE-2022-4262
published 2022-12-02CVE-2022-4262: Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page…
PriorityP186high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-12-26
Exploited in the wild
EPSS
16.11%
96.5th percentile
Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 108.0.5359.94-1~deb11u1 | 108.0.5359.94-1~deb11u1 |
| chromium | chromium | >= 0 < 108.0.5359.94-1 | 108.0.5359.94-1 |
| chromium | chromium | >= 0 < 108.0.5359.94-1 | 108.0.5359.94-1 |
| chromium | chromium | >= 0 < 108.0.5359.94-1 | 108.0.5359.94-1 |
| debian | chromium | < chromium 108.0.5359.94-1 (bookworm) | chromium 108.0.5359.94-1 (bookworm) |
| chrome | < 108.0.5359.94 | 108.0.5359.94 | |
| chrome | >= unspecified < 108.0.5359.94 | 108.0.5359.94 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Google confirmed an in-the-wild exploit exists for CVE-2022-4262; treat any unpatched Chrome/Edge/Opera (Chromium-based) instance as actively at risk. ↗
- →The vulnerability could affect multiple Chromium-based browsers beyond Chrome, including Microsoft Edge and Opera; expand detection/patching scope accordingly. ↗
- →CVE-2022-4262 was reported on 2022-11-29 by Clement Lecigne of Google's Threat Analysis Group, indicating it was likely observed in targeted exploitation before public disclosure. ↗
- ·Google withheld technical details about the vulnerability at time of patch release to limit exploitation spread; specific exploit mechanics were not publicly disclosed. ↗
- ·CISA mandated remediation by 2022-12-26; organizations still running unpatched Chromium-based browsers should treat this as critically overdue. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Project0
Analyzing a Modern In-the-wild Android Exploit - Project Zero
project_zero·2023-09-01·CVSS 7.8
CVE-2022-22706 [HIGH] Analyzing a Modern In-the-wild Android Exploit - Project Zero
By Seth Jenkins, Project Zero
## Introduction
In December 2022, Google’s Threat Analysis Group (TAG) discovered an in-the-wild exploit chain targeting Samsung Android devices. TAG’s blog post covers the targeting and the actor behind the campaign. This is a technical analysis of the final stage of one of the exploit chains, specifically CVE-2023-0266 (a 0-day in the ALSA compatibility layer) and CVE-2023-26083 (a 0-day in the Mali GPU driver) as well as the techniques used by the attacker to gain kernel arbitrary read/write access.
Notably, several of the previous stages of the exploit chain used n-day vulnerabilities:
-
CVE-2022-4262, a 0-day vulnerability in Chrome was exploited in the Samsung browser to achieve RCE.
-
CVE-2022-3038, a Chrome n-day that unpatched in the Samsung
GHSA
GHSA-hq2w-83f9-f353: Type confusion in V8 in Google Chrome prior to 108
ghsa_unreviewed·2022-12-02
CVE-2022-4262 [HIGH] CWE-843 GHSA-hq2w-83f9-f353: Type confusion in V8 in Google Chrome prior to 108
Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
OSV
CVE-2022-4262: Type confusion in V8 in Google Chrome prior to 108
osv·2022-12-02·CVSS 8.8
CVE-2022-4262 [HIGH] CVE-2022-4262: Type confusion in V8 in Google Chrome prior to 108
Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
VulnCheck
Google Chromium V8 Type Confusion Vulnerability
vulncheck·2022·CVSS 8.8
CVE-2022-4262 [HIGH] CWE-122 Google Chromium V8 Type Confusion Vulnerability
Google Chromium V8 Type Confusion Vulnerability
Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Affected: Google Chromium V8
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://raw.githubusercontent.com/blackorbird/APT_REPORT/master/summary/2023/360_APT_Annual_Research_Report_2022.pdf; https://blog.google/threat-analysis
Project0
Project Zero RCA: CVE-2022-4262: Incorrect Bytecode Generation by JavaScript Parser
project_zero·CVSS 8.8
CVE-2022-4262 [HIGH] Project Zero RCA: CVE-2022-4262: Incorrect Bytecode Generation by JavaScript Parser
# CVE-2022-4262: Incorrect Bytecode Generation by JavaScript Parser
*Samuel Groß, V8 Security*
## The Basics
**Disclosure or Patch Date:** 2 December 2022
**Product:** Google Chrome
**Advisory:** https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop.html
**Affected Versions:** 108.0.5359.71 and previous
**First Patched Version:** 108.0.5359.94
**Issue/Bug Report:** https://bugs.chromium.org/p/chromium/issues/detail?id=1394403
**Patch CL:** https://chromium.googlesource.com/v8/v8/+/27fa951ae4a3801126e84bc94d5c82dd2370d18b
**Bug-Introducing CL:** N/A
**Reporter(s):** Clement Lecigne of Google's Threat Analysis Group
## The Code
**Proof-of-concept:**
```javascript
let alloc = function() {
let tt = new ArrayBuffer(31 * 1024 * 1024 * 1024);
tt = new ArrayBu
Microsoft
Chromium: CVE-2022-4262 Type Confusion in V8
vendor_msrc·2022-12-13·CVSS 8.8
CVE-2022-4262 [HIGH] Chromium: CVE-2022-4262 Type Confusion in V8
Chromium: CVE-2022-4262 Type Confusion in V8
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.
Google is aware that an exploit for CVE-2022-4262 exists in the wild.
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the browser?
In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
Cl
CISA
Google Chromium V8 Type Confusion Vulnerability
cisa·2022-12-05·CVSS 8.8
CVE-2022-4262 [HIGH] CWE-122 Google Chromium V8 Type Confusion Vulnerability
Vulnerability: Google Chromium V8 Type Confusion Vulnerability
Affected: Google Chromium V8
Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Required Action: Apply updates per vendor instructions.
Notes: https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop.html; https://nvd.nist.gov/vuln/detail/CVE-2022-4262
Remediation Due Date: 2022-12-26
Chrome
Stable Channel Update for Desktop: CVE-2022-4262
vendor_chrome·2022-12-02·CVSS 8.8
CVE-2022-4262 [HIGH] Stable Channel Update for Desktop: CVE-2022-4262
Stable Channel Update for Desktop
CVE-2022-4262: Type Confusion in V8. Reported by Clement Lecigne of Google's Threat Analysis Group on 2022-11-29 We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel
Severity: high
Debian
CVE-2022-4262: chromium - Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote at...
vendor_debian·2022·CVSS 8.8
CVE-2022-4262 [HIGH] CVE-2022-4262: chromium - Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote at...
Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Scope: local
bookworm: resolved (fixed in 108.0.5359.94-1)
bullseye: resolved (fixed in 108.0.5359.94-1~deb11u1)
forky: resolved (fixed in 108.0.5359.94-1)
sid: resolved (fixed in 108.0.5359.94-1)
trixie: resolved (fixed in 108.0.5359.94-1)
No detection rules found.
No public exploits indexed.
Checkpoint
5th December – Threat Intelligence Report
blogs_checkpoint·2022-12-05
CVE-2022-4262 5th December – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 5th December – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 5th December, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Cyber criminals who breached Australian Medibank’s systems have released another batch of data onto the dark web, claiming that the files contain all data harvested in the former heist that impacted 9.7 million customers in October 2022. Medibank has confirmed the data breach.
Colombian healthcare provider Keralty, opera
Qualys
The 9th Google Chrome Zero-Day Threat this Year – Again Just Before the Weekend
blogs_qualys·2022-12-03·CVSS 8.8
CVE-2022-4262 [HIGH] The 9th Google Chrome Zero-Day Threat this Year – Again Just Before the Weekend
## Table of Contents
Organizations respond, but slowly
Qualys Patch Management speeds remediation
Google has released yet another security update for the Chrome desktop web browser to address a high-severity vulnerability that is being exploited in the wild. This is the ninth Chrome zero-day fixed this year by Google. This security bug ( CVE-2022-4262 ; QID 377804 ) is a Type Confusion vulnerability in Chrome’s V8 JavaScript Engine.
Google has withheld details about the vulnerability to prevent expanding its malicious exploitation and to allow users time to apply the security updates necessary on their Chrome installations.
Google’s previous zero-days were also released right before a weekend (see Don’t spend another weekend patching Chrome and Don’t Spend Your Holiday Season Patching
Qualys
The 9th Google Chrome Zero-Day Threat this Year – Again Just Before the Weekend | Qualys
blogs_qualys·2022-12-03·CVSS 8.8
CVE-2022-4262 [HIGH] The 9th Google Chrome Zero-Day Threat this Year – Again Just Before the Weekend | Qualys
#### Table of Contents
- Organizations respond, but slowly
- Qualys Patch Management speeds remediation
Google has released yet another security update for the Chrome desktop web browser to address a high-severity vulnerability that is being exploited in the wild. This is the ninth Chrome zero-day fixed this year by Google. This security bug (CVE-2022-4262; QID 377804) is a Type Confusion vulnerability in Chrome’s V8 JavaScript Engine.
Google has withheld details about the vulnerability to prevent expanding its malicious exploitation and to allow users time to apply the security updates necessary on their Chrome installations.
Google’s previous zero-days were also released right before a weekend (see Don’t spend another weekend patching Chrome and Don’t Spend Your Holiday Season Patchi
https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop.htmlhttps://crbug.com/1394403https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop.htmlhttps://crbug.com/1394403https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-4262
2022-12-02
Published
2022-12-05
Added to CISA KEV
Exploited in the wild