⚠ Actively exploited
Added to CISA KEV on 2022-12-05. Federal agencies required to patch by 2022-12-26. Required action: Apply updates per vendor instructions..

CVE-2022-4262Type Confusion in Google Chrome

CWE-843Type ConfusionCWE-122Heap-based Buffer Overflow12 documents10 sources
Severity
8.8HIGHNVD
EPSS
6.4%
top 8.98%
CISA KEV
KEV
Added 2022-12-05
Due 2022-12-26
Exploit
Exploited in wild
Active exploitation observed
Affected products
5
Google ChromeChromiumDebian Chromium+2 more
Timeline
PublishedDec 2
KEV addedDec 5
KEV dueDec 26
Latest updateSep 1
CISA Required Action: Apply updates per vendor instructions.

Description

Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages6 packages

CVEListV5google/chromeunspecified108.0.5359.94
NVDgoogle/chrome< 108.0.5359.94
debiandebian/chromium< chromium 108.0.5359.94-1 (bookworm)
Debianchromium/chromium< 108.0.5359.94-1~deb11u1+3

Patches

Patch: chromereleases.googleblog.comPatch: chromereleases.googleblog.com

🔴Vulnerability Details

5
Project0
Analyzing a Modern In-the-wild Android Exploit - Project Zero2023-09-01
GHSA
GHSA-hq2w-83f9-f353: Type confusion in V8 in Google Chrome prior to 1082022-12-02
OSV
CVE-2022-4262: Type confusion in V8 in Google Chrome prior to 1082022-12-02
VulnCheck
Google Chromium V8 Type Confusion Vulnerability2022
Project0
Project Zero RCA: CVE-2022-4262: Incorrect Bytecode Generation by JavaScript Parser

📋Vendor Advisories

4
Microsoft
Chromium: CVE-2022-4262 Type Confusion in V82022-12-13
CISA
Google Chromium V8 Type Confusion Vulnerability2022-12-05
Chrome
Stable Channel Update for Desktop: CVE-2022-42622022-12-02
Debian
CVE-2022-4262: chromium - Type confusion in V8 in Google Chrome prior to 108.0.5359.94 allowed a remote at...2022

🕵️Threat Intelligence

2
Qualys
The 9th Google Chrome Zero-Day Threat this Year – Again Just Before the Weekend2022-12-03
Qualys
The 9th Google Chrome Zero-Day Threat this Year – Again Just Before the Weekend | Qualys2022-12-03